Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U8fdd#U89c4#U540d#U5355.exe

Overview

General Information

Sample name:#U8fdd#U89c4#U540d#U5355.exe
renamed because original name is a hash value
Original sample name:.exe
Analysis ID:1443624
MD5:5d84e6ed7d8e9b89fae2771d6870393e
SHA1:fee5fe80e8cf95156c1129079747729f9ad54cef
SHA256:193a19a4d22e3f959cd43b0aa05c11a3793283a27f9af95e8d468693277ef128
Tags:exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Enables network access during safeboot for specific services
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Modifies the windows firewall
Monitors registry run keys for changes
Registers a service to start in safe boot mode
Sample is not signed and drops a device driver
Tries to open files direct via NTFS file id
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Weak or Abused Passwords In CLI
Spawns drivers
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U8fdd#U89c4#U540d#U5355.exe (PID: 7864 cmdline: "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe" MD5: 5D84E6ED7D8E9B89FAE2771D6870393E)
    • Dism.exe (PID: 7960 cmdline: dism /mount-wim /wimfile:"C:\Users\user\AppData\Local\Temp\System.wim" /index:1 /mountdir:"C:\Users\user\AppData\Local\Temp\System" MD5: C100B8F80EE9C3E4D4448634025910B5)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wimserv.exe (PID: 8036 cmdline: wimserv.exe a87a5149-c7b0-4e41-bd88-ef52e4b1f2cb MD5: 7477F87C3C1D7633A0E003BE6AA01020)
    • 7z.exe (PID: 8120 cmdline: C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -y MD5: 36A3807A11DF584777165172C71797EE)
      • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 7z.exe (PID: 5640 cmdline: C:\Users\user\AppData\Local\Temp\7z.exe x winrdlv3.rar -oC:\Windows\system32 -pa123456789 -y MD5: 36A3807A11DF584777165172C71797EE)
      • conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5872 cmdline: cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 5644 cmdline: netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
    • cmd.exe (PID: 3444 cmdline: cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 2744 cmdline: netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
    • systecv3.exe (PID: 6920 cmdline: "C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE MD5: B9E0A7CBD7FDB4D179172DBDD453495A)
    • winrdgv3.exe (PID: 7352 cmdline: "C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE MD5: 97AC3EF2E098C4CB7DD6EC1D14DC28F1)
    • winrdlv3.exe (PID: 5664 cmdline: "C:\Windows\system32\winrdlv3.exe" SW_HIDE MD5: 0CBEB75D3090054817EA4DF0773AFE35)
    • Dism.exe (PID: 1656 cmdline: Dism /Unmount-Wim /MountDir:"C:\Users\user\AppData\Local\Temp\System" /commit MD5: C100B8F80EE9C3E4D4448634025910B5)
      • conhost.exe (PID: 1280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wimmount.sys (PID: 4 cmdline: MD5: 416B0938189ED0D4A8B5BBBE3F045269)
  • winrdgv3.exe (PID: 5232 cmdline: "C:\Program Files (x86)\Common Files\System\winrdgv3.exe" MD5: 97AC3EF2E098C4CB7DD6EC1D14DC28F1)
    • winrdlv3.exe (PID: 7276 cmdline: C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32 MD5: 0CBEB75D3090054817EA4DF0773AFE35)
      • winrdlv3.exe (PID: 7368 cmdline: C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32 MD5: 0CBEB75D3090054817EA4DF0773AFE35)
        • regsvr32.exe (PID: 2400 cmdline: C:\Windows\system32\regsvr32.exe /s trmenushl64.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • svchost.exe (PID: 1856 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • nwifi.sys (PID: 4 cmdline: MD5: 8CA2DD9A18327EFBD5D7E8E099E36BD4)
  • ndisuio.sys (PID: 4 cmdline: MD5: 09BD40437780ED584D06519373ACEDC7)
  • svchost.exe (PID: 2168 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2780 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -s TermService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6396 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\SysWOW64\winoav3.dllJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    C:\Windows\bakoav3.sysJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: 7z.exe PID: 8120JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: winrdlv3.exe PID: 7368JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.3.7z.exe.31b0000.1.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              20.2.winrdlv3.exe.10000000.1.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

                Sigma Signatures

                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\wimmount.sys, NewProcessName: C:\Windows\System32\drivers\wimmount.sys, OriginalFileName: C:\Windows\System32\drivers\wimmount.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: wimmount.sys
                Sigma detected: Weak or Abused Passwords In CLI
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -y, CommandLine: C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -y, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\7z.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\7z.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\7z.exe, ParentCommandLine: "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe", ParentImage: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe, ParentProcessId: 7864, ParentProcessName: #U8fdd#U89c4#U540d#U5355.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -y, ProcessId: 8120, ProcessName: 7z.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc, ProcessId: 1856, ProcessName: svchost.exe

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: #U8fdd#U89c4#U540d#U5355.exeVirustotal: Detection: 17%Perma Link
                Source: #U8fdd#U89c4#U540d#U5355.exeReversingLabs: Detection: 23%
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003E37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_1f28720f-6
                Source: #U8fdd#U89c4#U540d#U5355.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\LICENSE.electron.txtJump to behavior
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\systecv3.pdb source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\V4\4.73.808.X\4.0.0.31\Bin\Release\winoav3.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinRdgv3.pdb source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000531B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe.0.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinWdgv3.pdb source: 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, winwdgv3.dll.8.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinWdgv364.pdb source: 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: H:\WorkshopAgent\DevelopProjX\winrdlv3\Bin\Release\WinRdlv3.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\WorkshopAgent\DevelopProj2\AgentInstaller\Inner\PreRelease\AInstallV3\Bin\Unicode_Release\LInstSvr.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, LInstSvr.exe.6.dr
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: z:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: x:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: v:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: t:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: r:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: p:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: n:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: l:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: j:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: h:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: f:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: d:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: b:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: y:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: w:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: u:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: s:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: q:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: o:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: m:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: k:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: i:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: g:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: e:
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: c:
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: a:
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00406006 FindFirstFileA,FindClose,0_2_00406006
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_004055C2 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055C2
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00402647 FindFirstFileA,0_2_00402647
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D58C4 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,6_2_001D58C4
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D7635 FindFirstFileW,6_2_001D7635
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005BC1BB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,17_2_005BC1BB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481E70 FindFirstFileA,FindNextFileA,FindClose,17_2_00481E70
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040C0B0 FindFirstFileA,FindNextFileA,FindClose,17_2_0040C0B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482180 FindFirstFileW,FindNextFileW,FindClose,17_2_00482180
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040C2E0 FindFirstFileW,FindNextFileW,FindClose,17_2_0040C2E0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00414440 FindFirstFileW,FindClose,17_2_00414440
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004144B0 FindFirstFileW,FindFirstFileW,17_2_004144B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0048A500 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,17_2_0048A500
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482600 FindFirstFileW,FindNextFileW,SetLastError,FindClose,17_2_00482600
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005BC6D1 FindFirstFileA,FindClose,17_2_005BC6D1
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482A60 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,17_2_00482A60
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040EB60 CopyFileA,SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040EB60
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040CE50 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,17_2_0040CE50
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00468FC0 GetFileAttributesA,FindFirstFileA,FindClose,CreateFileA,GetFileTime,CloseHandle,GetLocalTime,17_2_00468FC0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481060 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,17_2_00481060
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00483000 FindFirstFileW,FindNextFileW,SetLastError,FindClose,17_2_00483000
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058B0C7 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,17_2_0058B0C7
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040D0B0 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,17_2_0040D0B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004111E0 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,17_2_004111E0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481180 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,17_2_00481180
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004052A0 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,17_2_004052A0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040D450 FindFirstFileW,MoveFileExA,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,17_2_0040D450
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040F400 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040F400
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00483480 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,17_2_00483480
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040DB10 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040DB10
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00427B30 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,DeleteFileA,17_2_00427B30
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0045A030 FindFirstFileW,FindNextFileW,SetLastError,FindClose,18_2_0045A030
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00458090 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,18_2_00458090
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040A160 FindFirstFileW,FindNextFileW,FindClose,18_2_0040A160
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004581B0 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,18_2_004581B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004122B0 FindFirstFileW,FindClose,18_2_004122B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00412320 FindFirstFileW,FindFirstFileW,18_2_00412320
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0045A4B0 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,18_2_0045A4B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00404940 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,18_2_00404940
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040C9E0 SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040C9E0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040ACD0 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,18_2_0040ACD0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00458EA0 FindFirstFileA,FindNextFileA,FindClose,18_2_00458EA0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040AF30 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,18_2_0040AF30
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00548FAB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,18_2_00548FAB
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040F060 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,18_2_0040F060
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004591B0 FindFirstFileW,FindNextFileW,FindClose,18_2_004591B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040B2D0 FindFirstFileW,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,18_2_0040B2D0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040D280 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040D280
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_005494C1 FindFirstFileA,FindClose,18_2_005494C1
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00475670 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,18_2_00475670
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00459630 FindFirstFileW,FindNextFileW,SetLastError,FindClose,18_2_00459630
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040B990 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040B990
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00459A90 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,18_2_00459A90
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00409F30 FindFirstFileA,FindNextFileA,FindClose,18_2_00409F30
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017F1D9 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,19_2_1017F1D9
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006B030 FindFirstFileExW,FindFirstFileW,FindNextFileW,SetLastError,FindClose,19_2_1006B030
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1014F097 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,19_2_1014F097
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10069090 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,19_2_10069090
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100150F0 FindFirstFileW,FindClose,19_2_100150F0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10015160 FindFirstFileW,FindFirstFileExW,FindFirstFileW,19_2_10015160
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100691B0 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,19_2_100691B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006B4B0 FindFirstFileW,FindFirstFileExW,FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,19_2_1006B4B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017F6EF FindFirstFileA,FindClose,19_2_1017F6EF
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000F810 SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_1000F810
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000DB00 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,19_2_1000DB00
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000DD60 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,19_2_1000DD60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10011E90 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,19_2_10011E90
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10069EA0 FindFirstFileA,FindNextFileA,FindClose,19_2_10069EA0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100100B0 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_100100B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000E100 FindFirstFileW,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,19_2_1000E100
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006A1B0 FindFirstFileW,FindNextFileW,FindClose,19_2_1006A1B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006A630 FindFirstFileExW,FindFirstFileW,FindNextFileW,SetLastError,FindClose,19_2_1006A630
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10076630 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,19_2_10076630
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000E7C0 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_1000E7C0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006AA90 FindFirstFileW,FindFirstFileExW,FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,19_2_1006AA90
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10006B60 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,19_2_10006B60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000CD60 FindFirstFileA,FindNextFileA,FindClose,19_2_1000CD60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000CF90 FindFirstFileW,FindNextFileW,FindClose,19_2_1000CF90
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D62DF __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,6_2_001D62DF
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 4x nop then sub esp, 00000110h18_2_0041400B
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]18_2_0049305C

                Networking

                barindex
                Enables network access during safeboot for specific services
                Source: C:\Windows\SysWOW64\winrdlv3.exeRegistry value created: NULL Service
                Source: global trafficTCP traffic: 192.168.2.11:49711 -> 45.125.48.89:8237
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: unknownTCP traffic detected without corresponding DNS query: 45.125.48.89
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628944513.0000000010C34000.00000008.00000001.01000000.00000014.sdmpString found in binary or memory: http://.exe890830CWinPatchInstaller::AddTask
                Source: winrdlv3.exe, 00000013.00000002.2620234829.0000000000562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCert
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTru
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: winrdgv3.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.dp)
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: #U8fdd#U89c4#U540d#U5355.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                Source: #U8fdd#U89c4#U540d#U5355.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0L
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0N
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://ocsp.digicert.com0O
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                Source: winrdlv3.exe, 00000013.00000002.2620234829.0000000000562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dig.
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.0000000000910000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497766614.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1445307891.000000000090E000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444495978.0000000000914000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, systecv3.exe, 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000000.1438557027.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1496088763.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000012.00000000.1442175571.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdlv3.exe, 00000013.00000002.2623324896.000000001019F000.00000002.00000001.01000000.00000013.sdmp, winrdlv3.exe, 00000014.00000002.2627709420.0000000010991000.00000002.00000001.01000000.00000014.sdmp, winrdgv3.exe, 00000015.00000002.1470129657.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000015.00000000.1449479022.0000000000566000.00000002.00000001.01000000.00000011.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000527C000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.drString found in binary or memory: http://www.openssl.org/support/faq.html
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000000.1438557027.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1496088763.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000012.00000000.1442175571.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdlv3.exe, 00000013.00000002.2623324896.000000001019F000.00000002.00000001.01000000.00000013.sdmp, winrdlv3.exe, 00000014.00000002.2627709420.0000000010991000.00000002.00000001.01000000.00000014.sdmp, winrdgv3.exe, 00000015.00000002.1470129657.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000015.00000000.1449479022.0000000000566000.00000002.00000001.01000000.00000011.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000527C000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.dr, winwdgv3.dll.8.drString found in binary or memory: http://www.openssl.org/support/faq.html....................
                Source: winrdgv3.exe, 00000012.00000002.1497543172.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.register-center.com/
                Source: winrdgv3.exe, 00000012.00000002.1497543172.00000000010F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.register-center.com/=C:
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1484600965.0000000000649000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1483899194.000000000066E000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486796477.0000000000649000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486891079.0000000000676000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1487022338.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003E37000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000455C000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003125000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.register-center.com/N
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.register-center.com/w
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.register-center.com/xE
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003E37000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2629479273.0000000010CAA000.00000008.00000001.01000000.00000014.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                Source: servicephqghume_2023_09_23.log.0.drString found in binary or memory: https://st.todesk.com/config-center/sync-config?fullUpdate=false
                Source: servicephqghume_2023_09_23.log.0.drString found in binary or memory: https://st.todesk.com/config-center/sync-config?fullUpdate=true
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444986146.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1444560402.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: https://www.globalsign.com/repository/0
                Source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443651812.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp, LInstSvr.exe.6.drString found in binary or memory: https://www.globalsign.com/repository/06
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040512B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040512B
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0049E750 GetTickCount,GetVersion,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,18_2_0049E750
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0054E35C GetKeyState,GetKeyState,GetKeyState,GetKeyState,18_2_0054E35C
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00417EB0 OpenProcess,OpenProcess,OpenProcess,OpenProcess,NtQueryInformationProcess,CloseHandle,17_2_00417EB0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A6280 NtQuerySystemInformation,GetCurrentProcessId,NtQuerySystemInformation,GetLastError,17_2_004A6280
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00410AA0 NtQuerySystemInformation,NtQuerySystemInformation,17_2_00410AA0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0048AD90 LoadLibraryW,LoadLibraryA,NtCreateFile,NtOpenFile,NtClose,NtReadFile,NtWriteFile,NtQueryInformationFile,NtSetInformationFile,NtDeleteFile,17_2_0048AD90
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00407360 NtOpenSymbolicLinkObject,NtClose,NtQuerySymbolicLinkObject,NtClose,17_2_00407360
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0047C080 NtQuerySystemInformation,GetCurrentProcessId,NtQuerySystemInformation,GetLastError,18_2_0047C080
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0045E580 LoadLibraryW,LoadLibraryA,NtCreateFile,NtOpenFile,NtClose,NtReadFile,NtWriteFile,NtQueryInformationFile,NtSetInformationFile,NtDeleteFile,18_2_0045E580
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040E920 NtQuerySystemInformation,NtQuerySystemInformation,18_2_0040E920
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1001DBF0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtQuerySystemInformation,NtQueryInformationProcess,EnumProcesses,GetModuleFileNameExA,GetModuleFileNameExW,ProcessIdToSessionId,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,19_2_1001DBF0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100186A0 NtQuerySystemInformation,NtQuerySystemInformation,19_2_100186A0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10093100 NtQuerySystemInformation,GetCurrentProcessId,NtQuerySystemInformation,GetLastError,19_2_10093100
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10011750 NtQuerySystemInformation,NtQuerySystemInformation,19_2_10011750
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100785F0 LoadLibraryW,LoadLibraryA,NtCreateFile,NtOpenFile,NtClose,NtReadFile,NtWriteFile,NtQueryInformationFile,NtSetInformationFile,NtDeleteFile,19_2_100785F0
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D66A9: DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,6_2_001D66A9
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0041E220 OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CreateProcessA,WaitForSingleObject,GetWindowsDirectoryA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,MoveFileA,CopyFileA,GetFileAttributesA,CopyFileA,CopyFileA,OpenSCManagerA,OpenServiceA,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,QueryServiceConfigA,ChangeServiceConfigA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegCreateKeyA,RegSetValueExA,RegCloseKey,ShellExecuteA,17_2_0041E220
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004102B0 CreateProcessAsUserW,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,17_2_004102B0
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040323B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323B
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakoav3.sysJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\system32\winwdgv364.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\SysWOW64\OAgent.iniJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\SysWOW64\msoapphash5.datJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\SysWOW64\msodhash3.datJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\SysWOW64\AgentTaskJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\SysWOW64\AgentTask\AgentTaskList.datJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\win.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakoav3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdlv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakstec3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv364.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\LInstSvr.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakrdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakstec3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winoav3.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winrdlv3.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winwdgv3.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeFile created: C:\Windows\SysWOW64\OcularJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeFile created: C:\Windows\SysWOW64\Ocular3PathJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msoapphash5.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msodhash3.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\OAgent.ini
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Mails
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Files
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Temp
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\WinPatch
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Deploy
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Rtft
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\FtTemp
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Dump
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\PrintData
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Screen
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Data
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Asset
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TSafeDoc
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\SurvData
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Policy
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\AgentTask
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TKS
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TKS\TKSMatch
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TKS\TKSTemp
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\OAgentTray
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\BroHistory
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\OBtEmulator
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\Download
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\SCDT
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\SCDT\DocLog
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular3Path\SCDT
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular3Path\SCDT\SetupAppTemp
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent\7368
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_1_3_41
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_2_3_18467
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_3_3_6334
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886562_4_3_26500
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msagentclass.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_10_4890750_1_3_41
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msmidtierserverclass_cache3.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msmailboxcalss_cache.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msmailboxidentify_cache.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msusersystemservercfgclass_cache2.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\msusersystemservercfgclass.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\OPolicy.ini
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_12_4892671_3_3_18467
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_14_4895046_5_3_6334
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile created: C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_16_4897140_7_3_26500
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile deleted: C:\Windows\win.iniJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040496A0_2_0040496A
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00406C040_2_00406C04
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040642D0_2_0040642D
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D82586_2_001D8258
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001E42706_2_001E4270
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_00204E916_2_00204E91
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_00204F6B6_2_00204F6B
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D15536_2_001D1553
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D17516_2_001D1751
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001F59DD6_2_001F59DD
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001E3CA16_2_001E3CA1
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001E5DDB6_2_001E5DDB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058081017_2_00580810
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0048E3C017_2_0048E3C0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004465FC17_2_004465FC
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004206D017_2_004206D0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058C8C017_2_0058C8C0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0046894017_2_00468940
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A090017_2_004A0900
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00594B1017_2_00594B10
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058EE9017_2_0058EE90
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00590F2017_2_00590F20
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004CF11017_2_004CF110
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058F47017_2_0058F470
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0046B40017_2_0046B400
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0046F59017_2_0046F590
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043964217_2_00439642
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0044D6C917_2_0044D6C9
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043981F17_2_0043981F
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A995017_2_004A9950
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A9AC017_2_004A9AC0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00593AE017_2_00593AE0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00463CD017_2_00463CD0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0041C1AF18_2_0041C1AF
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004802E018_2_004802E0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004463E018_2_004463E0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0048045018_2_00480450
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0054464018_2_00544640
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0047E73018_2_0047E730
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00496A8818_2_00496A88
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00496AA618_2_00496AA6
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00498FF018_2_00498FF0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0047344018_2_00473440
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004975C018_2_004975C0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004298AE18_2_004298AE
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_005159C018_2_005159C0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0054BAE718_2_0054BAE7
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004A5AA018_2_004A5AA0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0051FBC018_2_0051FBC0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0042FB8418_2_0042FB84
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00541F1018_2_00541F10
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0041BFD218_2_0041BFD2
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005633AE19_3_005633AE
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005633AE19_3_005633AE
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005633AE19_3_005633AE
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005633AE19_3_005633AE
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_00403A5219_2_00403A52
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1002D10E19_2_1002D10E
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017932019_2_10179320
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100573E019_2_100573E0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1008D51019_2_1008D510
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100BB9B019_2_100BB9B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10077A6019_2_10077A60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10139DE019_2_10139DE0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_101440B019_2_101440B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100961F019_2_100961F0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1015022019_2_10150220
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017A35019_2_1017A350
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1009636019_2_10096360
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1003A7EE19_2_1003A7EE
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017484019_2_10174840
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10040B3619_2_10040B36
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10174E2019_2_10174E20
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1002CF3119_2_1002CF31
                Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Common Files\System\winrdgv3.exe A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
                Source: C:\Windows\SysWOW64\Dism.exeProcess token adjusted: Load DriverJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeProcess token adjusted: SecurityJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 00449C10 appears 51 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 0041A810 appears 34 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 00420F18 appears 67 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 0047F5A0 appears 111 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 004780A0 appears 45 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 00481230 appears 83 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 00420340 appears 119 times
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: String function: 00419E70 appears 70 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 1005AC10 appears 51 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 1014FF83 appears 31 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 100954B0 appears 88 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 10026EC0 appears 34 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 10030C50 appears 83 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 10097140 appears 58 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 1008F120 appears 45 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 10026320 appears 314 times
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: String function: 10032208 appears 58 times
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: String function: 00204970 appears 386 times
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: String function: 001D1AB0 appears 90 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 004A2510 appears 45 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 00472BE0 appears 51 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 0058C4F3 appears 33 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 0043D230 appears 82 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 0043ED58 appears 59 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 004AA8A0 appears 58 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 004A8C10 appears 88 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 004245B0 appears 462 times
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: String function: 00432170 appears 34 times
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1484600965.0000000000649000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinRdgV3.exe vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %s\user.exe%xInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\Language\Common Files\Program FilesProgramFilesDirCommentsLegalTrademarksLegalCopyrightOriginalFilenameInternalNameFileDescriptionProductNameCompanyNameEnumResourceLanguagesExW%04x%04xStringFileInfoVS_VERSION_INFOTranslationVarFileInfoFileVersion%d%s%d%s%d%s%dProductVersiondll`= vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesystecv3.exe vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1483899194.000000000066E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinrdlv3.exe: vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486796477.0000000000649000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinRdgV3.exe vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486891079.0000000000676000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinrdlv3.exe: vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZmInformationNtQuerySysteodeThreadGetExitCeHandleAGetModulFICuctionCacheFlushInstrSTCdContextSetThreaGTCdContextGetThreaessMemoryWriteProcessMemoryReadProcVPErotectExVirtualPlFreeExVirtuaAllocExVirtualoteThreadCreateRemRTThreadResumedThreadSuspenhreadOpenTrocessOpenPtdetourCommentsLegalTrademarksLegalCopyrightOriginalFilenameInternalNameFileDescriptionProductNameCompanyNamedllEnumResourceLanguagesExW%04x%04xStringFileInfoVS_VERSION_INFOTranslationVarFileInfoFileVersion%d%s%d%s%d%s%dProductVersion][ vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinRdgV3.exe vs #U8fdd#U89c4#U540d#U5355.exe
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1487022338.00000000006D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinrdlv3.exe: vs #U8fdd#U89c4#U540d#U5355.exe
                Source: unknownDriver loaded: C:\Windows\System32\drivers\wimmount.sys
                Source: #U8fdd#U89c4#U540d#U5355.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: systecv3.exe.5.drBinary string: ^.PAVCException@@CUpAgentFileMgr::InstallZIPDatFile 4 [%s] [%d] [%d]%s\newtemp_%dCUpAgentFileMgr::InstallZIPDatFile 3 [%d]CUpAgentFileMgr::InstallZIPDatFile 2 [i=%d] [%s] [%d] [%d] [%d]CUpAgentFileMgr::InstallZIPDatFile 1 [%s] [%d]CUpAgentFileMgr::RestoreInstallZIPDatFiles 2RestoreFils ZIPDATFiles check [i=%d] [%d] [%s]RestoreFils ZIPDATFiles [i=%d] [%s %s]CUpAgentFileMgr::RestoreInstallZIPDatFiles 1 [%d][%d]TEC_OCULAR__AGENT_V3_MUTEX_AGENTCUpAgentFileMgr::CheckFilesVer [%s][%s]\Device\TSafeDiskVolumeQueryServiceStatusExChangeServiceConfig2WChangeServiceConfig2AQueryServiceConfig2WQueryServiceConfig2AFreeSidEqualPrefixSidEqualSidCopySidConvertStringSecurityDescriptorToSecurityDescriptorWConvertStringSecurityDescriptorToSecurityDescriptorAConvertStringSidToSidWConvertStringSidToSidACreateProcessWithTokenWCreateProcessWithLogonWCreateProcessAsUserWCreateProcessAsUserALogonUserWLogonUserARevertToSelfImpersonateLoggedOnUserImpersonateNamedPipeClientImpersonateAnonymousTokenAdjustTokenPrivilegesLookupPrivilegeDisplayNameWLookupPrivilegeDisplayNameALookupPrivilegeNameWLookupPrivilegeNameALookupPrivilegeValueWLookupPrivilegeValueALookupAccountSidWLookupAccountSidALookupAccountNameWLookupAccountNameASetSecurityDescriptorSaclGetSecurityDescriptorSaclSetSecurityDescriptorOwnerGetSecurityDescriptorOwnerSetSecurityDescriptorGroupGetSecurityDescriptorGroupSetSecurityDescriptorDaclGetSecurityDescriptorDaclSetAclInformationGetAclInformationSetKernelObjectSecurityGetKernelObjectSecurityRegSetKeySecurityRegGetKeySecuritySetFileSecurityWSetFileSecurityAGetFileSecurityWGetFileSecurityASetTokenInformationGetTokenInformationDuplicateTokenExDuplicateTokenOpenProcessTokenSetThreadTokenOpenThreadTokenadvapi32.dll
                Source: systecv3.exe.5.drBinary string: %sKEYWORDPROCESSDSTADBGINFOMAXRESERVELASTLOGTIMEMAXLOGCOUNTTARGETLEVELISLOGResetCfg2 2 [%s]OcularLogResetCfg2 1 TODAYLOG_%s%luTODAYLOGTIME_A:%s%s%c:\Device\Mup\\Device\LanmanRedirector\\\%s\??\UNC\AgentConfigsoftware\TEC\Ocular.3\AgentWow64RevertWow64FsRedirectionWow64DisableWow64FsRedirectionKernel32.dllX
                Source: winwdgv3.dll.8.drBinary string: SYSTEM\CurrentControlSet\Services\TcpipLinkageParametersInterfacesEnableSecurityFiltersBindTCPAllowedPortsUDPAllowedPorts\Device\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers0HashesPathsItemDataItemSize%HKEY_Winhlpsvrwinrdgv3.exe
                Source: winwdgv3.dll.8.drBinary string: egsvr32 /s "%s"CMonitorThread::RestoreFiles 7CMonitorThread::RestoreFiles 6 [%lu]CMonitorThread::RestoreFiles 5 [%lu] [%lu]CMonitorThread::RestoreFiles 4 [%lu] [%lu] [%lu]disfunc_astacomdlldisfunc_allCMonitorThread::RestoreFiles 3-3 [%lu] [%lu] [fast=%lu] [%lu] [%lu] [%lu]CMonitorThread::RestoreFiles 3CMonitorThread::RestoreFiles 204CMonitorThread::RestoreFiles 203CMonitorThread::RestoreFiles 202CMonitorThread::RestoreFiles 201CMonitorThread::RestoreFiles 2013CMonitorThread::RestoreFiles 2012CMonitorThread::RestoreFiles 2011CMonitorThread::RestoreFiles 200CMonitorThread::RestoreFiles #1CMonitorThread::RestoreFiles 2phah cycle lengthen [%d] [%08x]bakhadntv.sysCMonitorThread::RestoreFiles 1-2 [%d]CMonitorThread::RestoreFiles 1-1-2 [%d]CMonitorThread::RestoreFiles 1-1-1 [%d] [%d] [%d] [%d]CMonitorThread::RestoreFiles 1-1 [%d] [%d] [%d] [%d]CMonitorThread::RestoreFiles 1CMonitorThread::RestoreFiles [-----]TEC_OCULAR__AGENT_V3_MUTEX_AGENTTEC_OCULAR__AGENT_V3_MUTEX_WINWDGSVRCMonitorThread::StartService2 6CMonitorThread::StartService2 5CMonitorThread::StartService2 4CMonitorThread::StartService2 3CMonitorThread::StartService2 2CMonitorThread::StartService2 1CMonitorThread::MonitorService 6CMonitorThread::MonitorService 5CMonitorThread::MonitorService 4CMonitorThread::MonitorService 3CMonitorThread::MonitorService 2CMonitorThread::MonitorService 1CMonitorThread::MonitorWinwdgsvr 5CMonitorThread::MonitorWinwdgsvr 4CMonitorThread::MonitorWinwdgsvr 3CMonitorThread::MonitorWinwdgsvr 2CMonitorThread::MonitorWinwdgsvr 1 [%lu]CMonitorThread::MonitorAgent 14CMonitorThread::MonitorAgent 13CMonitorThread::MonitorAgent 12CMonitorThread::MonitorAgent 11CMonitorThread::MonitorAgent 10CMonitorThread::MonitorAgent 9CMonitorThread::MonitorAgent 8CMonitorThread::MonitorAgent 7AgentProcIDCMonitorThread::MonitorAgent 6CMonitorThread::MonitorAgent 5CMonitorThread::MonitorAgent 4CMonitorThread::MonitorAgent 3CMonitorThread::MonitorAgent 2CMonitorThread::MonitorAgent 1 [%lu]CMonitorThread::V3BetaMonitor 9CMonitorThread::V3BetaMonitor 8CMonitorThread::V3BetaMonitor 7CMonitorThread::V3BetaMonitor 6CMonitorThread::V3BetaMonitor 5CMonitorThread::V3BetaMonitor 4CMonitorThread::V3BetaMonitor 3CMonitorThread::V3BetaMonitor 2CMonitorThread::V3BetaMonitor 1CMonitorThread::V3BetaMonitor 0 bDisMonitorService[%lu] bDisMonitorAgent[%lu] bSXDebug[%lu]LEGACY_.WINHLPSVR\0000CSConfigFlagsSYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOTTrdDLCheckerCAgent::KillAgentSelf [pid=%d][%s] [runas=%s]taskkill_agentOAGENT3CMonitorThread::RestoreMemSocketEx [running=%d] [num=%d]restore_MemSocketExProcess32NextProcess32FirstCreateToolhelp32SnapshotQueryFullProcessImageNameWGetProcessImageFileNameWIsWow64ProcessGetModuleFileNameExWNtWow64ReadVirtualMemory64NtReadVirtualMemoryNtWow64QueryInformationProcess64NtQueryInformationProcessNtQuerySystemInformationNtDll.dllSeDebugPrivilegeSeTcbPrivilegeIExplore.exeExplorer.exeCProcMgr::GetProcessPathW [=====] [%d] [%s]CProcMgr::
                Source: winwdgv3.dll.8.drBinary string: ;;ConvertSidToStringSidAadvapi32.dllConvertSidToStringSidWdefaultShell_TrayWnd%s\Explorer.exeCoCreateGuidole32.dll\*\*2008nameStaWdgSvrINJWdgMod...\\?\UNC\\\\\?\\\.\%s.bak%08X_tmpChangeWindowMessageFilteruser32.dllfloppycdromA:NTFSEXFATFAT32FAT32FATFAT12FAT16FAT16A:\\\.\A:%s.%s.%s.%s\logon.exeSysVol\Global??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUMEGlobal??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\\.\\\?\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUME%s\*Temp_Docerr_SCDTTempTKStsdocbakWinPatchfilesMailsLeaveMailsTempmails\\GetComputerNameExWGetComputerNameExAexplorer.exeExplorer.exe%s"%s" %sScreen-saverScreenSaverDisconnectWinlogonGetCompressedFileSizeWtooltips_class32%s%sGetLastInputInfoUser32.dll%d%s=|%s=LockWorkStationImmDisableIMEImm32.dllNoModifyNoRepairDisplayIconDisplayVersionInstallDatePublisherDisplayNameUninstallStringSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSetFilePointerExA:%sCertNameToStrWcrypt32.dllWTHelperGetProvCertFromChainWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataWinVerifyTrustExwintrust.dllsign[%s] CKDigitalSignature::IsSigned WinVerifyTrust err[0x%x]CKDigitalSignature::GetSignName dwRetCode(0x%x) wszInfo(%s)CKDigitalSignature::GetSignName 6CKDigitalSignature::GetSignName 5CKDigitalSignature::GetSignName 4CKDigitalSignature::GetSignName 3CKDigitalSignature::GetSignName 2CKDigitalSignature::GetSignName 1CKDigitalSignature::GetSignNameSecurityCKSecurity::AddAccountMask [####] [ret: %d] [Path: %s] [Name: %s] [Mask: %08x] [Sid: %08x]CKSecurity::AddAccountMask2 [####] [ret: %d] [Path: %s] [Mask: %08x] [Name: %s] [Sid: %08x]NULLCKSecurity::AddEveryoneMask [####] [ret: %d] [Path: %s] [Mask: %08x] [Sid: %08x]S-1-15-2-1S-1-15-2-2CKSecurity::AddAccountMask [####] [Sel] [ret: %d] [myerror: %d] [Path: %s] [Mask: %08x] [Sid: %08x]CKSecurity::GetSid [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetSid2 [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetEveryoneSid [####] [ret: %d] [myerror: %d] [Sid: %08x]S-1-1-0CKSecurity::GetSd [####] [ret: %d] [myerror: %d] [Path: %s] [Sd: %08x]CKSecurity::SetSd [####] [ret: %d] [Path: %s] [Sd: %08x]CKSecurity::IsDenyInSd [####] [ret: %d] [myerror: %d] [Sd: %08x]CKSecurity::IsInSd [####] [ret: %d] [myerror: %d] [Sd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopySd [####] [ret: %d] [myerror: %d] [SrcSd: %08x] [DstSd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::GetAcl [####] [ret: %d] [Sd: %08x] [Acl: %08x] [b: %08x]CKSecurity::SetAcl [####] [ret: %d] [Acl: %08x] [Sd: %08x]CKSecurity::CopyAcl [####] [ret: %d] [myerror: %d] [Sd: %08x] [Acl: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopyAcl [####] [Inner] [ret: %d] [myerror: %d] [SrcAcl: %08x] [DstAcl: %08x] [b: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::IsDenyInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Index: %d]CKSecurity::IsInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Si
                Source: winwdgv3.dll.8.drBinary string: windows 10 windows server 2016 windows server 2008 Pro N EditionMobile Enterprise EditionMobile EditionIoT IoT Core Commercial EditionIoT Core EditionEnterprise 2015 LTSB N Evaluation EditionEnterprise 2015 LTSB N EditionEnterprise 2015 LTSB Evaluation EditionEnterprise 2015 LTSB EditionEnterprise N Evaluation EditionEnterprise N EditionEnterprise Evaluation EditionEnterprise E EditionEducation N EditionHome Single Language EditionHome N EditionEducation EditionHome EditionEssential Server EditionMultiPoint Server EditionSolutions Server EditionProfessional EditionServer for Small Business EditionStorage Server Enterprise EditionStorage Server Workgroup EditionStorage Server Standard EditionStorage Server Express EditionHome Premium Server EditionHome Server EditionWeb Server EditionStandard Edition (core installation)Standard EditionSmall Business Server Premium EditionSmall Business ServerEnterprise Edition for Itanium-based SystemsEnterprise Edition (core installation)Datacenter Edition (core installation)Datacenter EditionCluster Server EditionStarter EditionBusiness EditionEnterprise EditionHome Basic EditionHome Premium EditionUltimate EditionWindows Server 2022Windows Server 2019Windows Server 2016Windows 11Windows 10Windows 8.1Windows Server 2012 R2Windows 8Windows Server 2012Windows 7Windows Server 2008 R2Windows Server 2008Windows VistaWindows 2003 R2Windows 2003Windows XPWindows 2000Windows NT4Windows MEWindows 98Windows 95RtlGetVersionNtdll.dllGetProductInfoGetNativeSystemInfoProductNameSOFTWARE\Microsoft\Windows NT\CurrentVersion%d.%dCurrentVersionCurrentMinorVersionNumberCurrentMajorVersionNumberWindows UnknownServer EditionProfessionalUnknown architectureIA6464-bit32-bit, GlobalGlobalLocalNETWORK SERVICELOCAL SERVICESystemFont Driver Host\Window Manager\NT AUTHORITY\NETWORK SERVICELOCAL SERVICESystemFont Driver Host\Window Manager\NT AUTHORITY\\Device\Harddisk\\.\UNC\\\?\UNC\\??\UNC\\\.\UNC\\??\UNC\\??\%s\??\UNC\%s\\%s\Device\LanmanRedirector\\??\shadow\c:\program files\commom filesc:\program files\commom filesCommonFilesDirSoftware\Microsoft\Windows\CurrentVersionc:\program files (x86)\commom filesc:\program files (x86)\commom filesALLUSERSPROFILEALLUSERSPROFILEUSERPROFILEUSERPROFILE%s(%d)%s%s(%d)%s**\
                Source: winrdgv3.exe.0.drBinary string: \Device\Harddisk
                Source: winwdgv3.dll.8.drBinary string: \Device\TSafeDiskVolume
                Source: winwdgv3.dll.8.drBinary string: .PAVCException@@CUpAgentFileMgr::InstallZIPDatFile 4 [%s] [%d] [%d]%s\newtemp_%dCUpAgentFileMgr::InstallZIPDatFile 3 [%d]CUpAgentFileMgr::InstallZIPDatFile 2 [i=%d] [%s] [%d] [%d] [%d]CUpAgentFileMgr::InstallZIPDatFile 1 [%s] [%d]CUpAgentFileMgr::RestoreInstallZIPDatFiles 2RestoreFils ZIPDATFiles check [i=%d] [%d] [%s]RestoreFils ZIPDATFiles [i=%d] [%s %s]bakCertList.datbakThirdPartyLib.datbakDWM.datbakTKSPack.datbakCameraPack.datbakTStartMenu.datCUpAgentFileMgr::RestoreInstallZIPDatFiles 1 [%d][%d]CUpAgentFileMgr::CheckFilesVer [%s][%s]\Device\TSafeDiskVolumeRunMonitor32 (%d)RunMonitor32 [msgwait = %08x] [%08x]
                Source: systecv3.exe.5.drBinary string: l]c}`]cwindows 10 windows server 2016 windows server 2008 Pro N EditionMobile Enterprise EditionMobile EditionIoT IoT Core Commercial EditionIoT Core EditionEnterprise 2015 LTSB N Evaluation EditionEnterprise 2015 LTSB N EditionEnterprise 2015 LTSB Evaluation EditionEnterprise 2015 LTSB EditionEnterprise N Evaluation EditionEnterprise N EditionEnterprise Evaluation EditionEnterprise E EditionEducation N EditionHome Single Language EditionHome N EditionEducation EditionHome EditionEssential Server EditionMultiPoint Server EditionSolutions Server EditionProfessional EditionServer for Small Business EditionStorage Server Enterprise EditionStorage Server Workgroup EditionStorage Server Standard EditionStorage Server Express EditionHome Premium Server EditionHome Server EditionWeb Server EditionStandard Edition (core installation)Standard EditionSmall Business Server Premium EditionSmall Business ServerEnterprise Edition for Itanium-based SystemsEnterprise Edition (core installation)Datacenter Edition (core installation)Datacenter EditionCluster Server EditionStarter EditionBusiness EditionEnterprise EditionHome Basic EditionHome Premium EditionUltimate EditionWindows Server 2022Windows Server 2019Windows Server 2016Windows 11Windows 10Windows 8.1Windows Server 2012 R2Windows 8Windows Server 2012Windows 7Windows Server 2008 R2Windows Server 2008Windows VistaWindows 2003 R2Windows 2003Windows XPWindows 2000Windows NT4Windows MEWindows 98Windows 95RtlGetVersionNtdll.dllGetProductInfoGetNativeSystemInfoProductNameSOFTWARE\Microsoft\Windows NT\CurrentVersion%d.%dCurrentVersionCurrentMinorVersionNumberCurrentMajorVersionNumberWindows UnknownServer EditionProfessionalUnknown architectureIA6464-bit32-bit, \VarFileInfo\TranslationGlobalGlobalLocalNETWORK SERVICELOCAL SERVICEFont Driver Host\Window Manager\NT AUTHORITY\NETWORK SERVICELOCAL SERVICESystemFont Driver Host\Window Manager\NT AUTHORITY\\Device\Harddisk\\.\UNC\\\?\UNC\\??\UNC\\\.\UNC\\??\%s\??\UNC\%s\??\shadow\c:\program files\commom filesc:\program files\commom filesCommonFilesDirSoftware\Microsoft\Windows\CurrentVersionc:\program files (x86)\commom filesc:\program files (x86)\commom filesALLUSERSPROFILEALLUSERSPROFILEUSERPROFILEUSERPROFILE%s(%d)%s%s(%d)%s*
                Source: winrdgv3.exe.0.drBinary string: ;;ConvertSidToStringSidAadvapi32.dllConvertSidToStringSidWdefaultShell_TrayWnd%s\Explorer.exeCoCreateGuidole32.dll\*\*2008nameStaWdgSvrINJWdgMod...\\?\UNC\\\\\?\\\.\%s.bak%08X_tmpChangeWindowMessageFilteruser32.dllfloppycdromA:NTFSEXFATFAT32FAT32FATFAT12FAT16FAT16A:\\\.\A:%s.%s.%s.%s\logon.exeSysVol\Global??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUMEGlobal??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\\.\\\?\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUME%s\*Temp_Docerr_SCDTTempTKStsdocbakWinPatchfilesMailsLeaveMailsTempmails\\GetComputerNameExWGetComputerNameExAexplorer.exeExplorer.exe%s"%s" %sScreen-saverScreenSaverDisconnectWinlogonGetCompressedFileSizeWtooltips_class32%s%sGetLastInputInfoUser32.dll%d%s=|%s=LockWorkStationImmDisableIMEImm32.dllNoModifyNoRepairDisplayIconDisplayVersionInstallDatePublisherDisplayNameUninstallStringSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSetFilePointerExA:CertNameToStrWcrypt32.dllWTHelperGetProvCertFromChainWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataWinVerifyTrustExwintrust.dllsign[%s] CKDigitalSignature::IsSigned WinVerifyTrust err[0x%x]CKDigitalSignature::GetSignName dwRetCode(0x%x) wszInfo(%s)CKDigitalSignature::GetSignName 6CKDigitalSignature::GetSignName 5CKDigitalSignature::GetSignName 4CKDigitalSignature::GetSignName 3CKDigitalSignature::GetSignName 2CKDigitalSignature::GetSignName 1CKDigitalSignature::GetSignNameSecurityCKSecurity::AddAccountMask [####] [ret: %d] [Path: %s] [Name: %s] [Mask: %08x] [Sid: %08x]CKSecurity::AddAccountMask2 [####] [ret: %d] [Path: %s] [Mask: %08x] [Name: %s] [Sid: %08x]NULLCKSecurity::AddEveryoneMask [####] [ret: %d] [Path: %s] [Mask: %08x] [Sid: %08x]S-1-15-2-1S-1-15-2-2CKSecurity::AddAccountMask [####] [Sel] [ret: %d] [myerror: %d] [Path: %s] [Mask: %08x] [Sid: %08x]CKSecurity::GetSid [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetSid2 [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetEveryoneSid [####] [ret: %d] [myerror: %d] [Sid: %08x]S-1-1-0CKSecurity::GetSd [####] [ret: %d] [myerror: %d] [Path: %s] [Sd: %08x]CKSecurity::SetSd [####] [ret: %d] [Path: %s] [Sd: %08x]CKSecurity::IsDenyInSd [####] [ret: %d] [myerror: %d] [Sd: %08x]CKSecurity::IsInSd [####] [ret: %d] [myerror: %d] [Sd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopySd [####] [ret: %d] [myerror: %d] [SrcSd: %08x] [DstSd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::GetAcl [####] [ret: %d] [Sd: %08x] [Acl: %08x] [b: %08x]CKSecurity::SetAcl [####] [ret: %d] [Acl: %08x] [Sd: %08x]CKSecurity::CopyAcl [####] [ret: %d] [myerror: %d] [Sd: %08x] [Acl: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopyAcl [####] [Inner] [ret: %d] [myerror: %d] [SrcAcl: %08x] [DstAcl: %08x] [b: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::IsDenyInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Index: %d]CKSecurity::IsInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Sid:
                Source: winrdgv3.exe.0.drBinary string: lZ}`Zwindows 10 windows server 2016 windows server 2008 Pro N EditionMobile Enterprise EditionMobile EditionIoT IoT Core Commercial EditionIoT Core EditionEnterprise 2015 LTSB N Evaluation EditionEnterprise 2015 LTSB N EditionEnterprise 2015 LTSB Evaluation EditionEnterprise 2015 LTSB EditionEnterprise N Evaluation EditionEnterprise N EditionEnterprise Evaluation EditionEnterprise E EditionEducation N EditionHome Single Language EditionHome N EditionEducation EditionHome EditionEssential Server EditionMultiPoint Server EditionSolutions Server EditionProfessional EditionServer for Small Business EditionStorage Server Enterprise EditionStorage Server Workgroup EditionStorage Server Standard EditionStorage Server Express EditionHome Premium Server EditionHome Server EditionWeb Server EditionStandard Edition (core installation)Standard EditionSmall Business Server Premium EditionSmall Business ServerEnterprise Edition for Itanium-based SystemsEnterprise Edition (core installation)Datacenter Edition (core installation)Datacenter EditionCluster Server EditionStarter EditionBusiness EditionEnterprise EditionHome Basic EditionHome Premium EditionUltimate EditionWindows Server 2022Windows Server 2019Windows Server 2016Windows 11Windows 10Windows 8.1Windows Server 2012 R2Windows 8Windows Server 2012Windows 7Windows Server 2008 R2Windows Server 2008Windows VistaWindows 2003 R2Windows 2003Windows XPWindows 2000Windows NT4Windows MEWindows 98Windows 95RtlGetVersionNtdll.dllGetProductInfoGetNativeSystemInfoProductNameSOFTWARE\Microsoft\Windows NT\CurrentVersion%d.%dCurrentVersionCurrentMinorVersionNumberCurrentMajorVersionNumberWindows UnknownServer EditionProfessionalUnknown architectureIA6464-bit32-bit, \VarFileInfo\TranslationGlobalGlobalLocalNETWORK SERVICELOCAL SERVICESystemFont Driver Host\Window Manager\NT AUTHORITY\NETWORK SERVICELOCAL SERVICESystemFont Driver Host\Window Manager\NT AUTHORITY\\Device\Harddisk\\.\UNC\\\?\UNC\\??\UNC\\SystemRoot\\Device\Harddisk\\.\UNC\\??\UNC\\SystemRoot\\??\%s\??\UNC\%s\\%s\Device\LanmanRedirector\\??\shadow\c:\program files\commom filesc:\program files\commom filesCommonFilesDirSoftware\Microsoft\Windows\CurrentVersionc:\program files (x86)\commom filesc:\program files (x86)\commom filesALLUSERSPROFILEALLUSERSPROFILEUSERPROFILEUSERPROFILE%s(%d)%s%s(%d)%s**%s
                Source: winrdgv3.exe.0.drBinary string: \Device\
                Source: classification engineClassification label: mal100.evad.winEXE@42/95@0/1
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00414F70 GetLastError,FormatMessageA,LocalFree,18_2_00414F70
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001DD6A9 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_001DD6A9
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D7E8E _fileno,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,6_2_001D7E8E
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00489C90 LookupPrivilegeValueW,AdjustTokenPrivileges,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,17_2_00489C90
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040AB10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,17_2_0040AB10
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040ABD0 LookupPrivilegeValueA,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,17_2_0040ABD0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00408990 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,18_2_00408990
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00408A50 LookupPrivilegeValueA,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,18_2_00408A50
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000B7C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,19_2_1000B7C0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000B880 LookupPrivilegeValueA,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,19_2_1000B880
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10075DC0 LookupPrivilegeValueW,AdjustTokenPrivileges,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,19_2_10075DC0
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040442E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040442E
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CreateProcessA,WaitForSingleObject,GetWindowsDirectoryA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,MoveFileA,CopyFileA,GetFileAttributesA,CopyFileA,CopyFileA,OpenSCManagerA,OpenServiceA,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,QueryServiceConfigA,ChangeServiceConfigA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegCreateKeyA,RegSetValueExA,RegCloseKey,ShellExecuteA,17_2_0041E220
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: OpenSCManagerA,GetLastError,LockServiceDatabase,GetLastError,OpenServiceA,GetLastError,OpenSCManagerA,GetLastError,LockServiceDatabase,GetLastError,CreateServiceA,ChangeServiceConfig2W,GetLastError,GetLastError,CloseServiceHandle,CloseServiceHandle,UnlockServiceDatabase,CloseServiceHandle,17_2_005498B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: OpenSCManagerA,LockServiceDatabase,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,UnlockServiceDatabase,CloseServiceHandle,17_2_0042B950
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetModuleFileNameA,RegCreateKeyA,RegSetValueExA,RegCloseKey,OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,18_2_004140E0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetTickCount,OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,OpenSCManagerA,OpenServiceA,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,QueryServiceConfigA,ChangeServiceConfigA,GetLastError,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,RegCreateKeyA,RegQueryValueExA,RegSetValueExA,RegCloseKey,19_2_1001A2F0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: OpenSCManagerA,GetLastError,LockServiceDatabase,GetLastError,OpenServiceA,GetLastError,OpenSCManagerA,GetLastError,LockServiceDatabase,GetLastError,CreateServiceA,ChangeServiceConfig2W,GetLastError,GetLastError,CloseServiceHandle,CloseServiceHandle,UnlockServiceDatabase,CloseServiceHandle,19_2_10070340
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1002B770 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,19_2_1002B770
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0045A260 FindResourceExA,LoadResource,17_2_0045A260
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0041E220 OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CreateProcessA,WaitForSingleObject,GetWindowsDirectoryA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,MoveFileA,CopyFileA,GetFileAttributesA,CopyFileA,CopyFileA,OpenSCManagerA,OpenServiceA,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,QueryServiceConfigA,ChangeServiceConfigA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegCreateKeyA,RegSetValueExA,RegCloseKey,ShellExecuteA,17_2_0041E220
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0041400B StartServiceCtrlDispatcherA,18_2_0041400B
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Program Files (x86)\Common Files\System\systecv3.exeJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_agentinfoid
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_AGENTTASKLOG.DAT
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDG32_2
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDG32_1
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Local\TEC_HOOKAPI_TSCDT_STATE_LOCK_LOCAL__SPECIAL_PATH
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR_DRV_LOCK
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__SHAREMEMORY_SERVER_TIME_4890671_MapLock
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_agentips
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_MSOOLDDEV.DAT
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__AGENT_V3_MUTEX_WINRDG32
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR_V3_FMB_LOCKNAME_APPKEY_
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_hookapi_url_specialbrowser
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_OAGENTL.HLP
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_AGENTTASKLIST.DAT
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_03
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__SHAREMEMORY_DISABLE_NETWORK_CARD_IP_4885093_MapLock
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_ipclass_range
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Local\TEC_HOOKAPI_TSCDT_STATE_LOCK_LOCAL
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__SHAREMEMORY_LOCAL_VOLUMES_MSG_4885093_MapLock
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_serverports
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Local\TEC_OCULAR__AGENT_V3_MUTEX_AGENT_pid7368
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_intranetips
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_OPOLICY.INI
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_MSMIDTIERSERVERCLASS3.DAT
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_portclass_range
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_03
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\SECURITYUDISK_LOG_MUTEX
                Source: C:\Windows\System32\wimserv.exeMutant created: \Sessions\1\BaseNamedObjects\Global\SINGLEINSTANCE-a87a5149-c7b0-4e41-bd88-ef52e4b1f2cb
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_HOOKAPI_TSCDT_TOBETARPROC_LOCK_GLOBAL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1104:120:WilError_03
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDGSVR
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__SHAREMEMORY_AGENT_SHARELISTIDX_1_MapLock
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_MSMIDTIERSERVERCLASS_CACHE3.DAT
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__SHAREMEMORY_SERVER_TIME_4951187_MapLock
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_HOOKAPI_TSCDT_PROCINFO_LOCK_GLOBAL
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\TEC_OCULAR__AGENT_V3_MUTEX_AGENT
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\INIW_OAGENT.INI
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\L_-1
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\tec_ocular_mutex_ha_had_localips
                Source: C:\Windows\SysWOW64\winrdlv3.exeMutant created: \BaseNamedObjects\Global\OAV3_XMsgFrame_NAMETABLEMAP_MapLock
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\nsw5B08.tmpJump to behavior
                Source: #U8fdd#U89c4#U540d#U5355.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: #U8fdd#U89c4#U540d#U5355.exeVirustotal: Detection: 17%
                Source: #U8fdd#U89c4#U540d#U5355.exeReversingLabs: Detection: 23%
                Source: systecv3.exeString found in binary or memory: set-addPolicy
                Source: systecv3.exeString found in binary or memory: id-cmc-addExtensions
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile read: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe"
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe dism /mount-wim /wimfile:"C:\Users\user\AppData\Local\Temp\System.wim" /index:1 /mountdir:"C:\Users\user\AppData\Local\Temp\System"
                Source: C:\Windows\SysWOW64\Dism.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\Dism.exeProcess created: C:\Windows\System32\wimserv.exe wimserv.exe a87a5149-c7b0-4e41-bd88-ef52e4b1f2cb
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -y
                Source: C:\Users\user\AppData\Local\Temp\7z.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x winrdlv3.rar -oC:\Windows\system32 -pa123456789 -y
                Source: C:\Users\user\AppData\Local\Temp\7z.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\systecv3.exe "C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE
                Source: unknownProcess created: C:\Program Files (x86)\Common Files\System\winrdgv3.exe "C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\winrdgv3.exe "C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe "C:\Windows\system32\winrdlv3.exe" SW_HIDE
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe Dism /Unmount-Wim /MountDir:"C:\Users\user\AppData\Local\Temp\System" /commit
                Source: C:\Windows\SysWOW64\Dism.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe dism /mount-wim /wimfile:"C:\Users\user\AppData\Local\Temp\System.wim" /index:1 /mountdir:"C:\Users\user\AppData\Local\Temp\System"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -yJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x winrdlv3.rar -oC:\Windows\system32 -pa123456789 -yJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\systecv3.exe "C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\winrdgv3.exe "C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe "C:\Windows\system32\winrdlv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe Dism /Unmount-Wim /MountDir:"C:\Users\user\AppData\Local\Temp\System" /commitJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeProcess created: C:\Windows\System32\wimserv.exe wimserv.exe a87a5149-c7b0-4e41-bd88-ef52e4b1f2cbJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32Jump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32Jump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: dui70.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: duser.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: chartv.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: atlthunk.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: explorerframe.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: dismcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: dbgcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: wdscore.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: wimgapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: fltlib.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: fltlib.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\System32\wimserv.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winwdgv3.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winoav3.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winoav3.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: mpr.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: samcli.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: thooksv3.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: msi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: udiskiddll.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: udiskiddll.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: funcextv.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tvdmount.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tvdfmt.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winncap3.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tnfcapinst.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: devobj.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netsetupshim.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netsetupapi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: devrtl.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netsetupengine.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netsetupengine.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: wlanapi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: netsetupengine.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tijtdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: thlpdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: powrprof.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: umpdc.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: trmenushl.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: apphelp.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: linkinfo.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tnfcapinst.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tijtdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: winsta.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tijtdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: wfirewallv.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: thlpdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: thlpdrvd32.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: twfpframe.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Windows\SysWOW64\winrdlv3.exeSection loaded: tpacketd.dll
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile written: C:\Users\user\AppData\Local\Temp\Languages\zh_hk.iniJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\winrdlv3.exeKey opened: HKEY_USERS.DEFAULT\Software\Microsoft\Office\9.0\Outlook\Resiliency\DoNotDisableAddinList
                Source: #U8fdd#U89c4#U540d#U5355.exeStatic file information: File size 14038624 > 1048576
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\systecv3.pdb source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\V4\4.73.808.X\4.0.0.31\Bin\Release\winoav3.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinRdgv3.pdb source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000531B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe.0.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinWdgv3.pdb source: 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003156000.00000004.00001000.00020000.00000000.sdmp, winwdgv3.dll.8.dr
                Source: Binary string: E:\WorkshopAgent\DevelopProj\Code\PreRelease\V4\PreRelease\Bin\Release\WinWdgv364.pdb source: 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: H:\WorkshopAgent\DevelopProjX\winrdlv3\Bin\Release\WinRdlv3.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000003.1443475452.0000000000917000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\WorkshopAgent\DevelopProj2\AgentInstaller\Inner\PreRelease\AInstallV3\Bin\Unicode_Release\LInstSvr.pdb source: 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, LInstSvr.exe.6.dr
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040602D GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040602D
                Source: 7z.exe.0.drStatic PE information: section name: .sxdata
                Source: 7z.dll.0.drStatic PE information: section name: .sxdata
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_002042B0 push ecx; mov dword ptr [esp], ecx6_2_002042B1
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_00204970 push eax; ret 6_2_0020498E
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_00204D10 push eax; ret 6_2_00204D3E
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043ED58 push eax; ret 17_2_0043ED76
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043CF54 pushad ; iretd 17_2_0043CF55
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043D230 push eax; ret 17_2_0043D25E
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005E35D8 push ecx; iretd 17_2_005E36AB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005E35C8 push ecx; iretd 17_2_005E36AB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005E3598 push ecx; iretd 17_2_005E36AB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005E3588 push ecx; iretd 17_2_005E36AB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005E3698 push ecx; iretd 17_2_005E36AB
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00420340 push eax; ret 18_2_0042036E
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0046EA98 push 8B0F7EFCh; retf 18_2_0046EA9D
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00420F18 push eax; ret 18_2_00420F36
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0046F788 push 8B0F7EFCh; retf 18_2_0046F78D
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_00562E78 push esi; iretd 19_3_00562E79
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_00562E78 push esi; iretd 19_3_00562E79
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005643E1 push esi; iretd 19_3_005643E2
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005643E1 push esi; iretd 19_3_005643E2
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_00562E78 push esi; iretd 19_3_00562E79
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_00562E78 push esi; iretd 19_3_00562E79
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005643E1 push esi; iretd 19_3_005643E2
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_3_005643E1 push esi; iretd 19_3_005643E2
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_00403100 push eax; ret 19_2_0040312E
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10032208 push eax; ret 19_2_10032226
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10030C50 push eax; ret 19_2_10030C7E

                Persistence and Installation Behavior

                barindex
                Drops executables to the windows directory (C:\Windows) and starts them
                Source: C:\Windows\SysWOW64\winrdlv3.exeExecutable created and started: C:\Windows\SysWOW64\winrdlv3.exeJump to behavior
                Sample is not signed and drops a device driver
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakoav3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdlv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakstec3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv364.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakrdgv3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakstec3.sysJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv364.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winwdgv3.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Program Files (x86)\Common Files\System\winrdgv3.exeJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\nsExec.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdlv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakstec3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakrdgv3.sysJump to dropped file
                Source: C:\Windows\System32\wimserv.exeFile created: C:\Users\user\AppData\Local\Temp\System\systecv3.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakstec3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winrdlv3.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv3.sysJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\7z.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdgv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winoav3.dllJump to dropped file
                Source: C:\Windows\System32\wimserv.exeFile created: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exeJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\System32\winwdgv364.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\7z.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakoav3.sysJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\System.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\NsProcess.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\LInstSvr.exeJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Program Files (x86)\Common Files\System\systecv3.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv364.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winwdgv3.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdlv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakstec3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\bakrdgv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakstec3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winrdlv3.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakwdgv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakrdgv3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\SysWOW64\winoav3.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Windows\System32\winwdgv364.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\bakoav3.sysJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeFile created: C:\Windows\LInstSvr.exeJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile created: C:\Users\user\AppData\Local\Temp\LICENSE.electron.txtJump to behavior

                Boot Survival

                barindex
                Monitors registry run keys for changes
                Source: C:\Windows\SysWOW64\winrdlv3.exeRegistry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
                Source: C:\Windows\SysWOW64\winrdlv3.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                Registers a service to start in safe boot mode
                Source: C:\Windows\SysWOW64\winrdlv3.exeRegistry value created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\.Winhlpsvr NULL
                Source: C:\Windows\SysWOW64\winrdlv3.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\OAgent
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0041E220 OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CreateProcessA,WaitForSingleObject,GetWindowsDirectoryA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,MoveFileA,CopyFileA,GetFileAttributesA,CopyFileA,CopyFileA,OpenSCManagerA,OpenServiceA,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,QueryServiceConfigA,ChangeServiceConfigA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegCreateKeyA,RegSetValueExA,RegCloseKey,ShellExecuteA,17_2_0041E220

                Hooking and other Techniques for Hiding and Protection

                barindex
                Tries to open files direct via NTFS file id
                Source: C:\Windows\System32\wimserv.exeFile opened: NULLJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Windows\SysWOW64\Dism.exeFile opened: NULL
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0043C2EF IsIconic,GetWindowPlacement,GetWindowRect,17_2_0043C2EF
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0041EC7F IsIconic,GetWindowPlacement,GetWindowRect,18_2_0041EC7F
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1002FC42 IsIconic,GetWindowPlacement,GetWindowRect,19_2_1002FC42
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00416020 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,17_2_00416020
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\Dism.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\Dism.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 6.3.7z.exe.31b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.winrdlv3.exe.10000000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 7z.exe PID: 8120, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: winrdlv3.exe PID: 7368, type: MEMORYSTR
                Source: Yara matchFile source: C:\Windows\SysWOW64\winoav3.dll, type: DROPPED
                Source: Yara matchFile source: C:\Windows\bakoav3.sys, type: DROPPED
                Checks if the current machine is a virtual machine (disk enumeration)
                Source: C:\Windows\SysWOW64\winrdlv3.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Windows\SysWOW64\winrdlv3.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Contains functionality to detect sleep reduction / modifications
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100CD97019_2_100CD970
                Found evasive API chain (may stop execution after checking mutex)
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                Found stalling execution ending in API Sleep call
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeStalling execution: Execution stalls by calling Sleep
                Source: C:\Windows\SysWOW64\winrdlv3.exeStalling execution: Execution stalls by calling Sleep
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A6280 NtQuerySystemInformation,GetCurrentProcessId,NtQuerySystemInformation,GetLastError,17_2_004A6280
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: OpenSCManagerA,OpenSCManagerA,GetLastError,OpenSCManagerA,GetLastError,EnumServicesStatusA,OpenSCManagerA,GetLastError,EnumServicesStatusA,GetLastError,CloseServiceHandle,19_2_10071B50
                Source: C:\Users\user\AppData\Local\Temp\7z.exeDropped PE file which has not been started: C:\Windows\bakwdgv364.sysJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\nsExec.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeDropped PE file which has not been started: C:\Windows\bakwdgv3.sysJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7z.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Windows\System32\winwdgv364.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeDropped PE file which has not been started: C:\Windows\bakoav3.sysJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\System.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dllJump to dropped file
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\NsProcess.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\7z.exeDropped PE file which has not been started: C:\Windows\LInstSvr.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeEvasive API call chain: GetLocalTime,DecisionNodes
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_17-79628
                Source: C:\Users\user\AppData\Local\Temp\7z.exeAPI coverage: 7.6 %
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeAPI coverage: 2.6 %
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeAPI coverage: 1.8 %
                Source: C:\Windows\SysWOW64\winrdlv3.exeAPI coverage: 3.0 %
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100CD97019_2_100CD970
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exe TID: 6536Thread sleep count: 99 > 30Jump to behavior
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exe TID: 7880Thread sleep count: 100 > 30
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile opened: PhysicalDrive0
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: \Device\CdRom0\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00406006 FindFirstFileA,FindClose,0_2_00406006
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_004055C2 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055C2
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00402647 FindFirstFileA,0_2_00402647
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D58C4 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,6_2_001D58C4
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D7635 FindFirstFileW,6_2_001D7635
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005BC1BB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,17_2_005BC1BB
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481E70 FindFirstFileA,FindNextFileA,FindClose,17_2_00481E70
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040C0B0 FindFirstFileA,FindNextFileA,FindClose,17_2_0040C0B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482180 FindFirstFileW,FindNextFileW,FindClose,17_2_00482180
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040C2E0 FindFirstFileW,FindNextFileW,FindClose,17_2_0040C2E0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00414440 FindFirstFileW,FindClose,17_2_00414440
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004144B0 FindFirstFileW,FindFirstFileW,17_2_004144B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0048A500 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,17_2_0048A500
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482600 FindFirstFileW,FindNextFileW,SetLastError,FindClose,17_2_00482600
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_005BC6D1 FindFirstFileA,FindClose,17_2_005BC6D1
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00482A60 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,17_2_00482A60
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040EB60 CopyFileA,SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040EB60
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040CE50 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,17_2_0040CE50
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00468FC0 GetFileAttributesA,FindFirstFileA,FindClose,CreateFileA,GetFileTime,CloseHandle,GetLocalTime,17_2_00468FC0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481060 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,17_2_00481060
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00483000 FindFirstFileW,FindNextFileW,SetLastError,FindClose,17_2_00483000
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0058B0C7 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,17_2_0058B0C7
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040D0B0 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,17_2_0040D0B0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004111E0 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,17_2_004111E0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00481180 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,17_2_00481180
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004052A0 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,17_2_004052A0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040D450 FindFirstFileW,MoveFileExA,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,17_2_0040D450
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040F400 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040F400
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00483480 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,17_2_00483480
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040DB10 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,17_2_0040DB10
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00427B30 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,DeleteFileA,17_2_00427B30
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0045A030 FindFirstFileW,FindNextFileW,SetLastError,FindClose,18_2_0045A030
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00458090 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,18_2_00458090
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040A160 FindFirstFileW,FindNextFileW,FindClose,18_2_0040A160
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004581B0 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,18_2_004581B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004122B0 FindFirstFileW,FindClose,18_2_004122B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00412320 FindFirstFileW,FindFirstFileW,18_2_00412320
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0045A4B0 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,18_2_0045A4B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00404940 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,18_2_00404940
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040C9E0 SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040C9E0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040ACD0 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,18_2_0040ACD0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00458EA0 FindFirstFileA,FindNextFileA,FindClose,18_2_00458EA0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040AF30 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,18_2_0040AF30
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00548FAB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,18_2_00548FAB
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040F060 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,18_2_0040F060
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_004591B0 FindFirstFileW,FindNextFileW,FindClose,18_2_004591B0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040B2D0 FindFirstFileW,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,18_2_0040B2D0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040D280 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040D280
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_005494C1 FindFirstFileA,FindClose,18_2_005494C1
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00475670 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,18_2_00475670
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00459630 FindFirstFileW,FindNextFileW,SetLastError,FindClose,18_2_00459630
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0040B990 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,18_2_0040B990
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00459A90 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,18_2_00459A90
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00409F30 FindFirstFileA,FindNextFileA,FindClose,18_2_00409F30
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017F1D9 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,19_2_1017F1D9
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006B030 FindFirstFileExW,FindFirstFileW,FindNextFileW,SetLastError,FindClose,19_2_1006B030
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1014F097 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,19_2_1014F097
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10069090 SetLastError,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,FindClose,GetLastError,SetLastError,19_2_10069090
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100150F0 FindFirstFileW,FindClose,19_2_100150F0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10015160 FindFirstFileW,FindFirstFileExW,FindFirstFileW,19_2_10015160
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100691B0 SetLastError,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,GetLastError,SetLastError,19_2_100691B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006B4B0 FindFirstFileW,FindFirstFileExW,FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,19_2_1006B4B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1017F6EF FindFirstFileA,FindClose,19_2_1017F6EF
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000F810 SetFileAttributesA,SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_1000F810
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000DB00 GetFileAttributesA,SetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,MoveFileExA,DeleteFileA,MoveFileExA,19_2_1000DB00
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000DD60 SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,DeleteFileW,MoveFileExW,19_2_1000DD60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10011E90 FindFirstFileW,CopyFileW,lstrcmpW,lstrcmpW,lstrcmpW,CreateDirectoryW,CopyFileW,CopyFileW,FindNextFileW,FindClose,19_2_10011E90
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10069EA0 FindFirstFileA,FindNextFileA,FindClose,19_2_10069EA0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_100100B0 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_100100B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000E100 FindFirstFileW,lstrcmpW,RemoveDirectoryW,lstrcmpW,lstrcmpW,SetFileAttributesW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose,19_2_1000E100
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006A1B0 FindFirstFileW,FindNextFileW,FindClose,19_2_1006A1B0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006A630 FindFirstFileExW,FindFirstFileW,FindNextFileW,SetLastError,FindClose,19_2_1006A630
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10076630 SetFileSecurityA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileSecurityA,FindNextFileA,FindClose,19_2_10076630
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000E7C0 GetFileAttributesA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,19_2_1000E7C0
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1006AA90 FindFirstFileW,FindFirstFileExW,FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,19_2_1006AA90
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10006B60 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,19_2_10006B60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000CD60 FindFirstFileA,FindNextFileA,FindClose,19_2_1000CD60
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1000CF90 FindFirstFileW,FindNextFileW,FindClose,19_2_1000CF90
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D62DF __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,6_2_001D62DF
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D861A GetSystemInfo,6_2_001D861A
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dllJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ROMNECVMWARVMWARE_SATA_CD001.00
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @vmicvss
                Source: winrdlv3.exe, 00000014.00000003.2085473245.000000000065C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000002.2628882544.0000000010C12000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: wxwork.exeqq.exeteamviewer_service.exe;vncserver.exe;ToDesk_Service.exe;SunloginClient.exe;winvnc4.exeteamviewer_service.exewwahost.exevmware-authd.exeRsTray.exe;RsMain.exe;RsConfig.exe;RavTray.exe;ScanFrm.exe;RavMonD.exeCTIjtDrvRule::SetDefRule [====]CTIjtDrvRule::SetDefRule [i = %d] [ret = %d] [%d %d %s %d %d %d] [%s] [%s]CTIjtDrvRule::SetDefRule [Config] 2 [!!!!] [%d]CTIjtDrvRule::SetDefRule [Config] 1 [%d] [%08x]CTIjtDrvRule::SetDefRule [----]CTIjtDrvRule::CheckRule [====]CTIjtDrvRule::CheckRule 3 [%d %d %d]CTIjtDrvRule::CheckRule 2 [%d %d]CTIjtDrvRule::CheckRule 1 [%08x] [%s]CTIjtDrvRule::CheckRule [----]CTIjtDrvRule::AppRule [i = %d] [ret = %d] [####] [%d %d %s %d %d %d] [%s] [%s]CheckIjtDrvToVds [%d][%s];Guid={F3CDAA5B-457B-4EA6-B5B5-9C50D1F7B86F},Id=102,Type=1,Mode=1,Bit=2,Procs=vds.exe,Modules=winhafnt64.dll;Guid={263A953C-7091-4D30-955F-55D57A00BF55},Id=102,Type=1,Mode=1,Bit=1,Procs=vds.exe,Modules=winhafnt.dllvds.exe
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DiskVMware__Virtual_disk____2.0_
                Source: winrdlv3.exe, 00000014.00000002.2628122545.0000000010AFF000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: ad [=====]CAgent::StartHlpThread [-----]CAgent::StopHlpThread [=====]CAgent::StopHlpThread [-----]CAgent::StartHlp2Thread [=====]CAgent::StartHlp2Thread [-----]CAgent::StopHlp2Thread [=====]CAgent::StopHlp2Thread [-----]CAgent::Start [===========]PolicyUpdateTimePolicyNumCrashOAgentTrayInfoCAgent::Start TKSAgent [!!!!]TKSAgentCAgent::Start [=====]CAgent::Start 2CAgent::Start 1CAgent::Start TryConnectSvr 0x%lxCAgent::Start AEApply 2CAgent::Start AEApply 1CAgent::Start THlpDrvCAgent::Start TIjtCAgent::Start TIjtDrv 6CAgent::Start TIjtDrv 5CAgent::Start TIjtDrv 41 [%d %d]CAgent::Start TIjtDrv 4CAgent::Start TIjtDrv 3CAgent::Start TIjtDrv 2CAgent::Start TIjtDrv 13 [%d]CAgent::Start TIjtDrv 12 [%08x %08x]CAgent::Start TIjtDrv 11 [%S %S] [%08x]baktijtdrv64.sysTIjtDrv64.sysbaktijtdrv32.sysTIjtDrv32.sysCAgent::Start TIjtDrv [Config] 2 [!!!!] [%d]CAgent::Start TIjtDrv [Config] 1 [%d] [%08x]TIjtDrvCAgent::Start TIjtDrv 1CAgent::DoMonitor [BaoMiJun] Initialize 2PersonIDCAgent::DoMonitor [BaoMiJun] Initialize 1CAgent::Start Dump Trace 0x%lx %luAgentDumpCAgent::Start ConnectABSvr 0x%lxCAgent::Start MonitorSessionInfo 0x%lxCAgent::Start KillSelTimer [%d]CAgent::Start notifychangeidsCAgent::Start PolicyImportToolAgentExtendedConfig.datPolicyImportTool.exeCAgent::Start agttoolAgt3Tool.exeCAgent::Start tsdUninstallDriver 2[ret: %d %d]_DeltsysdrvUninstallDriver 1[ret: %d %d]TSysDrvbaktsdrvd.systsysdrv.dllCAgent::Start tpacketbaktpktn.sysCAgent::Start udp IsDisPort[%d]CAgent::Start getbasinfoCAgent::Start getverinfoCAgent::Start wpinstCAgent::Start wsecmgrCAgent::Start deploymgrCAgent::Start deploymgr 0 [%d]CAgent::Start printmgrCAgent::Start logonnotifyCAgent::Start devmgrCAgent::Start basmgrCAgent::Start ftsvrCAgent::Start vconnmgrCAgent::Start authormgrCAgent::Start tsfaenetCAgent::Start rasmgrCAgent::Start msgmgrCAgent::Start netcap [m_bStartTnfcap : %d]TnfcapInst.dllCAgent::Start netcap 2 (%08x)CAgent::Start netcap ## [%d %08x]CAgent::Start netcap 1 (%08x)CAgent::Start udiskdrvCAgent::Stop udiskdrv 3 [%lu]CAgent::Start udiskdrv 3 [%lu] [%lu]CAgent::Start udiskdrv 2CAgent::Start udiskdrv 1%s\drivers\%stvdisk.sysbaktvd64.sysbaktvd.sysCAgent::Start comdllwinoacbakoacCAgent::Start AgentUCAgent::Start initbaslogCAgent::Start SDCenterCAgent::Start config [Mode : %d]CAgent::Start enmodCAgent::Start enmod 3 [%lu] [%lu]CAgent::Start enmod 2CAgent::Start enmod 1bakencyx.syswinencyx.dllCAgent::Start sessmgrCAgent::Start tcpCAgent::Start CheckSDHwInfo 0x%lxCAgent::Start TranBufToOtherFile [msusersystemservercfgclass]CAgent::Start initpolicyCAgent::Start [TIjtNecessity]CAgent::Start [SyncTimeZone] [%d]CAgent::Start [Offline] [@@@@] [%d]CAgent::Start [Offline] [%d]CAgent::Start g_sdUDiskMgrAgent.IsExpireSyncTimeCAgent::Start synctime 2 (%08x)(%08x) (%08x)CAgent::Start synctime [%08x] [%s] [%08x] [%d] [%08x][%s]SetPID::%lu/0x%lxSetPID::0x%lxsoftware\TEC\Ocular.3\ShareData\EDBAKTIMEsoftware\TEC\Ocular.3\ShareData\DEFSEsoftware\TEC\Ocular.3\Agent\SDSystem\FilePathManagersoftw
                Source: winrdlv3.exe, 00000014.00000003.1625350913.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROMNECVMWARVMWARE_SATA_CD001.00
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `VMware_SATA_CD001GenCdRom
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000da5&0&0001t
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Standard USB 3.1 eXtensible Host Controller - 1.0 (Microsoft)0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
                Source: winrdlv3.exe, 00000014.00000002.2625664951.0000000002D89000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD00
                Source: winrdlv3.exe, 00000014.00000003.1625350913.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWAR VMWARE SATA CD00
                Source: winrdlv3.exe, 00000014.00000003.2085252910.0000000000640000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2620945707.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter4
                Source: winrdlv3.exe, 00000014.00000003.2084871740.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2621653178.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.infgencounter.devicedescMicrosoft Hyper-V Generation CounterSYS_040515ADPCI\VEN_15AD&DEV_0405&CC_030000PCI\VEN_15AD&DEV_0405&CC_0300
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DiskVMware__SCSI\VMware__Virtu@
                Source: winrdlv3.exe, 00000014.00000003.1623609118.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000_6600_@_2.40_GHz\_1
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PCI\VEN_8086&DEV_7111&SUBSYS_197615AD&REV_01Intel(R) 82371AB/EB PCI Bus Master IDE Controller#PPMHVMware VMCI Bus DevicePCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10NOT FOUNDvmci
                Source: winrdlv3.exe, 00000014.00000002.2625664951.0000000002D89000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: kI\Device\00000025SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom
                Source: winrdlv3.exe, 00000014.00000003.1472967472.0000000000656000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ecvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volux
                Source: winrdlv3.exe, 00000014.00000003.1484883344.000000000065A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}efb8b}b8b}
                Source: winrdlv3.exe, 00000014.00000003.1625350913.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@SCSI\CDROMNECVMWARVMWARE_SATA_CD001.000000ID_0003&REV_0102<
                Source: winrdlv3.exe, 00000014.00000002.2625664951.0000000002D89000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware_SATA_CD001
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_Y
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5
                Source: winrdlv3.exe, 00000014.00000003.1473116955.0000000000662000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: om&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1493739618.000000000068C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                Source: winrdlv3.exe, 00000014.00000003.1482481589.000000000065A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000002.2626684237.0000000003F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1511042557.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRomO
                Source: winrdlv3.exe, 00000014.00000003.1510131773.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}W
                Source: winrdlv3.exe, 00000014.00000002.2621653178.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRomJ
                Source: winrdlv3.exe, 00000014.00000003.1455820212.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494583857.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455920356.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1496857306.0000000002D9B000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2622011718.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1460301607.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494786118.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565587853.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1626578573.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1606864820.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1507654141.0000000002DC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )ACPI\VEN_PNP&DEV_0A03PCI Bus%PPMHMicrosoft Hyper-V Generation CounterACPI\VEN_VMW&DEV_00017gencounter
                Source: winrdlv3.exe, 00000014.00000003.1455626270.0000000000E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &ACPI\VEN_PNP&DEV_0A08PCI Express Root Complex,PPMHVMware Virtual disk SCSI Disk DeviceSCSI\DiskVMware__Virtual_disk____2.0_NOT FOUNDdisk
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000r3
                Source: winrdlv3.exe, 00000014.00000003.1625350913.0000000002DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @NECVMWAR VMWARE SATA CD00ler&MI_0100002- 1.0 (Microsoft)\
                Source: winrdlv3.exe, 00000014.00000002.2623053817.00000000013C2000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SCSI\CDROMNECVMWARVMWARE_SATA_CD001.\Device\00000025
                Source: winrdlv3.exe, 00000014.00000003.1455626270.0000000000E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PCI\VEN_8086&DEV_7111&SUBSYS_197615AD&REV_01Intel(R) 82371AB/EB PCI Bus Master IDE Controller#PPMHVMware VMCI Bus DevicePCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10NOT FOUNDvmci
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                Source: winrdlv3.exe, 00000014.00000003.1624117621.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000&0001@_2.40_GHz\_0VcX
                Source: winrdlv3.exe, 00000014.00000002.2623053817.00000000013C2000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SCSI\CDROMNECVMWARVMWARE_SATA_CD001.00%
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Device
                Source: winrdlv3.exe, 00000014.00000003.1479832260.000000000065C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ecvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
                Source: winrdlv3.exe, 00000014.00000003.1460447127.0000000000E91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `ACPI\VEN_PNP&DEV_0A08PCI Express Root Complex0PPMHNECVMWar VMware SATA CD00SCSI\CdRomNECVMWarVMware_SATA_CD001.00NOT FOUNDcdrom
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ClipSVC VMWARE SATA CD00ler&MI_01<
                Source: winrdlv3.exe, 00000014.00000003.1511042557.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{
                Source: winrdlv3.exe, 00000014.00000003.1455820212.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494583857.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455920356.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1460301607.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1459327768.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494786118.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565587853.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1626578573.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1606864820.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455213116.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565229125.0000000000ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHMicrosoft Hyper-V Virtualization Infrastructure Driver
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ACPI\VEN_PNP&DEV_0A08PCI Express Root Complex0PPMHNECVMWar VMware SATA CD00SCSI\CdRomNECVMWarVMware_SATA_CD001.00NOT FOUNDcdrom
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus DeviceEV_1001HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975O
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000da5&0&0001
                Source: winrdlv3.exe, 00000014.00000003.1472967472.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom]
                Source: winrdlv3.exe, 00000014.00000003.1502270246.0000000000EB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk DeviceSCSI\DiskVMware__Virtual_disk____2.0_NOT FOUNDdisk
                Source: winrdlv3.exe, 00000014.00000003.1623609118.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHVMware Virtual disk SCSI Disk Device
                Source: winrdlv3.exe, 00000014.00000003.2084871740.000000000068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @CDPSvcROMNECVMWARVMWARE_SATA_CD001.000000L
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ACPI\VEN_PNP&DEV_0A08PCI Express Root Complex,PPMHVMware Virtual disk SCSI Disk DeviceSCSI\DiskVMware__Virtual_disk____2.0_NOT FOUNDdisk
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                Source: winrdlv3.exe, 00000014.00000003.1622553485.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHVMware VMCI Bus Device
                Source: winrdlv3.exe, 00000014.00000003.1511042557.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000002.2625664951.0000000002D89000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SCSI\NECVMWarVMware_SATA_CD001
                Source: winrdlv3.exe, 00000014.00000003.1455820212.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494583857.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455920356.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1460301607.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1459327768.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494786118.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565587853.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1626578573.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1606864820.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455213116.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565229125.0000000000ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHMicrosoft Hyper-V Virtualization Infrastructure DriverROOT\VID0000Vid
                Source: #U8fdd#U89c4#U540d#U5355.exeBinary or memory string: >QEMu
                Source: winrdlv3.exe, 00000014.00000003.1510131773.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}u
                Source: winrdlv3.exe, 00000014.00000003.1622553485.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000_6600_@_2.40_GHz\_1.dll,-21781
                Source: winrdlv3.exe, 00000014.00000003.1483825457.0000000000675000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: xwork.exeqq.exeteamviewer_service.exe;vncserver.exe;ToDesk_Service.exe;SunloginClient.exe;winvnc4.exeteamviewer_service.exewwahost.exevmware-authd.exeRsTray.exe;RsMain.exe;RsConfig.exe;RavTray.exe;ScanFrm.exe;RavMonD.exeCTIjtDrvRule::SetDefRule [====]CTIjtDrvRule::SetDefRule [i = %d] [ret = %d] [%d %d %s %d %d %d] [%s] [%s]CTIjtDrvRule::SetDefRule [Config] 2 [!!!!] [%d]CTIjtDrvRule::SetDefRule [Config] 1 [%d] [%08x]CTIjtDrvRule::SetDefRule [----]CTIjtDrvRule::CheckRule [====]CTIjtDrvRule::CheckRule 3 [%d %d %d]CTIjtDrvRule::CheckRule 2 [%d %d]CTIjtDrvRule::CheckRule 1 [%08x] [%s]CTIjtDrvRule::CheckRule [----]CTIjtDrvRule::AppRule [i = %d] [ret = %d] [####] [%d %d %s %d %d %d] [%s] [%s]CheckIjtDrvToVds [%d][%s];Guid={F3CDAA5B-457B-4EA6-B5B5-9C50D1F7B86F},Id=102,Type=1,Mode=1,Bit=2,Procs=vds.exe,Modules=winhafnt64.dll;Guid={263A953C-7091-4D30-955F-55D57A00BF55},Id=102,Type=1,Mode=1,Bit=1,Procs=vds.exe,Modules=winhafnt.dllvds.exe
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @vmicshutdown$
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus DeviceEV_1001HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD001.00
                Source: winrdlv3.exe, 00000014.00000003.1493284803.0000000000682000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gstorage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @vmicheartbeat4
                Source: winrdlv3.exe, 00000014.00000003.1508954338.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHNECVMWar VMware SATA CD00
                Source: winrdlv3.exe, 00000014.00000003.1481626702.0000000000EB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DiskVMware__Virtual_disk____2.0_NOT FOUNDdisk
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
                Source: winrdlv3.exe, 00000014.00000003.1502270246.0000000000EB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: winrdlv3.exe, 00000014.00000003.1622553485.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}b8b}
                Source: winrdlv3.exe, 00000014.00000003.1622553485.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                Source: winrdlv3.exe, 00000014.00000002.2620945707.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&z
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                Source: winrdlv3.exe, 00000014.00000003.1479785833.000000000067C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1481226546.0000000000ED2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: irtual disk SCSI Disk DeviceSCSI\DiskVMware__Virtual_disk____2.0_NOT FOUNDdisk
                Source: winrdlv3.exe, 00000014.00000002.2623053817.00000000013C2000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SCSI\CDROMNECVMWARVMWARE_SATA_CD001.\Device\00000025SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRomSCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRom\Device\00000025SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRomD{
                Source: winrdlv3.exe, 00000014.00000003.1627505894.0000000000ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PCI Express Root Complex0PPMHNECVMWar VMware SATA CD00SCSI\CdRomNECVMWarVMware_SATA_CD001.00NOT FOUNDcdrom
                Source: winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWARE SATA CD00
                Source: winrdlv3.exe, 00000014.00000003.1510604217.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}u
                Source: winrdlv3.exe, 00000014.00000002.2620622167.0000000000608000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.2620210881.000001D277238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: winrdlv3.exe, 00000014.00000003.1479541030.0000000000665000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pdstorage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000003.1512550059.0000000002DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\B
                Source: winrdlv3.exe, 00000014.00000003.2085473245.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000
                Source: winrdlv3.exe, 00000014.00000003.1622553485.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000008}W
                Source: winrdlv3.exe, 00000014.00000003.1881209202.0000000002DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @dot3svc\DiskVMware__Virtual_disk____2.0_
                Source: winrdlv3.exe, 00000014.00000003.1481626702.0000000000EB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DiskVMware__Virtual_disk____2.0_
                Source: winrdlv3.exe, 00000014.00000003.1480247278.0000000000674000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: estorage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: winrdlv3.exe, 00000014.00000002.2620945707.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Elscsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&00000
                Source: svchost.exe, 0000001C.00000002.2621109761.0000020A89A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                Source: winrdlv3.exe, 00000014.00000003.1455820212.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494583857.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1455920356.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1496857306.0000000002D9B000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2622011718.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1460301607.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1494786118.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1565587853.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1626578573.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1606864820.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000003.1507654141.0000000002DC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPMHMicrosoft Hyper-V Generation Counter
                Source: winrdlv3.exe, 00000014.00000003.1493777491.0000000000682000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gscsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeAPI call chain: ExitProcess graph end nodegraph_0-3072
                Source: C:\Windows\SysWOW64\winrdlv3.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A6280 NtQuerySystemInformation,GetCurrentProcessId,NtQuerySystemInformation,GetLastError,17_2_004A6280
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_0040602D GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040602D
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004100C0 GetTokenInformation,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetProcessHeap,HeapFree,17_2_004100C0
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeProcess token adjusted: Debug
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004482DC SetUnhandledExceptionFilter,17_2_004482DC
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004482EE SetUnhandledExceptionFilter,17_2_004482EE
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0042A849 SetUnhandledExceptionFilter,18_2_0042A849
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_0042A837 SetUnhandledExceptionFilter,18_2_0042A837
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_10017C80 SetErrorMode,SetUnhandledExceptionFilter,19_2_10017C80
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1003B777 SetUnhandledExceptionFilter,19_2_1003B777
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: 19_2_1003B789 SetUnhandledExceptionFilter,19_2_1003B789
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00489310 LogonUserA,LogonUserW,LogonUserA,17_2_00489310
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe dism /mount-wim /wimfile:"C:\Users\user\AppData\Local\Temp\System.wim" /index:1 /mountdir:"C:\Users\user\AppData\Local\Temp\System"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -yJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Users\user\AppData\Local\Temp\7z.exe C:\Users\user\AppData\Local\Temp\7z.exe x winrdlv3.rar -oC:\Windows\system32 -pa123456789 -yJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\systecv3.exe "C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Program Files (x86)\Common Files\System\winrdgv3.exe "C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\winrdlv3.exe "C:\Windows\system32\winrdlv3.exe" SW_HIDEJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\Dism.exe Dism /Unmount-Wim /MountDir:"C:\Users\user\AppData\Local\Temp\System" /commitJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"Jump to behavior
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004D6120 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CloseHandle,CloseHandle,17_2_004D6120
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_0040FF00 GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,EqualSid,FreeSid,17_2_0040FF00
                Source: winrdlv3.exe, 00000013.00000002.2623505247.00000000101D9000.00000008.00000001.01000000.00000013.sdmpBinary or memory string: ;;ConvertSidToStringSidAadvapi32.dllConvertSidToStringSidWdefaultShell_TrayWnd%s\Explorer.exeCoCreateGuidole32.dll\*\*2008nameStaWdgSvrINJWdgMod...\\?\UNC\\\\\?\\\.\%s.bak%08X_tmpChangeWindowMessageFilteruser32.dllfloppycdromA:NTFSEXFATFAT32FAT32FATFAT12FAT16FAT16A:\\\.\A:%s.%s.%s.%s\logon.exeSysVol\Global??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUMEGlobal??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\\.\\\?\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUME%s\*Temp_Docerr_SCDTTempTKStsdocbakWinPatchfilesMailsLeaveMailsTempmails\\GetComputerNameExWGetComputerNameExAexplorer.exeExplorer.exe%s"%s" %sScreen-saverScreenSaverDisconnectWinlogonGetCompressedFileSizeWtooltips_class32%s%sGetLastInputInfoUser32.dll%d%s=|%s=LockWorkStationImmDisableIMEImm32.dllNoModifyNoRepairDisplayIconDisplayVersionInstallDatePublisherDisplayNameUninstallStringSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSetFilePointerExA:%sCertNameToStrWcrypt32.dllWTHelperGetProvCertFromChainWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataWinVerifyTrustExwintrust.dllsign[%s] CKDigitalSignature::IsSigned WinVerifyTrust err[0x%x]CKDigitalSignature::GetSignName dwRetCode(0x%x) wszInfo(%s)CKDigitalSignature::GetSignName 6CKDigitalSignature::GetSignName 5CKDigitalSignature::GetSignName 4CKDigitalSignature::GetSignName 3CKDigitalSignature::GetSignName 2CKDigitalSignature::GetSignName 1CKDigitalSignature::GetSignNameSecurityCKSecuri
                Source: #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.000000000407A000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D2A000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, winwdgv3.dll.8.drBinary or memory string: ;;ConvertSidToStringSidAadvapi32.dllConvertSidToStringSidWdefaultShell_TrayWnd%s\Explorer.exeCoCreateGuidole32.dll\*\*2008nameStaWdgSvrINJWdgMod...\\?\UNC\\\\\?\\\.\%s.bak%08X_tmpChangeWindowMessageFilteruser32.dllfloppycdromA:NTFSEXFATFAT32FAT32FATFAT12FAT16FAT16A:\\\.\A:%s.%s.%s.%s\logon.exeSysVol\Global??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUMEGlobal??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\\.\\\?\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUME%s\*Temp_Docerr_SCDTTempTKStsdocbakWinPatchfilesMailsLeaveMailsTempmails\\GetComputerNameExWGetComputerNameExAexplorer.exeExplorer.exe%s"%s" %sScreen-saverScreenSaverDisconnectWinlogonGetCompressedFileSizeWtooltips_class32%s%sGetLastInputInfoUser32.dll%d%s=|%s=LockWorkStationImmDisableIMEImm32.dllNoModifyNoRepairDisplayIconDisplayVersionInstallDatePublisherDisplayNameUninstallStringSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSetFilePointerExA:%sCertNameToStrWcrypt32.dllWTHelperGetProvCertFromChainWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataWinVerifyTrustExwintrust.dllsign[%s] CKDigitalSignature::IsSigned WinVerifyTrust err[0x%x]CKDigitalSignature::GetSignName dwRetCode(0x%x) wszInfo(%s)CKDigitalSignature::GetSignName 6CKDigitalSignature::GetSignName 5CKDigitalSignature::GetSignName 4CKDigitalSignature::GetSignName 3CKDigitalSignature::GetSignName 2CKDigitalSignature::GetSignName 1CKDigitalSignature::GetSignNameSecurityCKSecurity::AddAccountMask [####] [ret: %d] [Path: %s] [Name: %s] [Mask: %08x] [Sid: %08x]CKSecurity::AddAccountMask2 [####] [ret: %d] [Path: %s] [Mask: %08x] [Name: %s] [Sid: %08x]NULLCKSecurity::AddEveryoneMask [####] [ret: %d] [Path: %s] [Mask: %08x] [Sid: %08x]S-1-15-2-1S-1-15-2-2CKSecurity::AddAccountMask [####] [Sel] [ret: %d] [myerror: %d] [Path: %s] [Mask: %08x] [Sid: %08x]CKSecurity::GetSid [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetSid2 [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetEveryoneSid [####] [ret: %d] [myerror: %d] [Sid: %08x]S-1-1-0CKSecurity::GetSd [####] [ret: %d] [myerror: %d] [Path: %s] [Sd: %08x]CKSecurity::SetSd [####] [ret: %d] [Path: %s] [Sd: %08x]CKSecurity::IsDenyInSd [####] [ret: %d] [myerror: %d] [Sd: %08x]CKSecurity::IsInSd [####] [ret: %d] [myerror: %d] [Sd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopySd [####] [ret: %d] [myerror: %d] [SrcSd: %08x] [DstSd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::GetAcl [####] [ret: %d] [Sd: %08x] [Acl: %08x] [b: %08x]CKSecurity::SetAcl [####] [ret: %d] [Acl: %08x] [Sd: %08x]CKSecurity::CopyAcl [####] [ret: %d] [myerror: %d] [Sd: %08x] [Acl: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopyAcl [####] [Inner] [ret: %d] [myerror: %d] [SrcAcl: %08x] [DstAcl: %08x] [b: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::IsDenyInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Index: %d]CKSecurity::IsInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Si
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2627798055.0000000010A76000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: CAdminTokenMgr::CreateAdminToken [=====] [hUserToken = %08x], [hAdminToken = %08x], [OnlyAdminGroup = %d], [dwAdminType = %d]explorer.exeDefaultShell_TrayWnd
                Source: 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: explorer.exeExplorer.exeShell_TrayWnd"
                Source: wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000003.1439500767.0000000000917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;ConvertSidToStringSidAadvapi32.dllConvertSidToStringSidWdefaultShell_TrayWnd%s\Explorer.exeCoCreateGuidole32.dll\*\*2008nameStaWdgSvrINJWdgMod...\\?\UNC\\\\\?\\\.\%s.bak%08X_tmpChangeWindowMessageFilteruser32.dllfloppycdromA:NTFSEXFATFAT32FAT32FATFAT12FAT16FAT16A:\\\.\A:%s.%s.%s.%s\logon.exeSysVol\Global??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUMEGlobal??\FltMgrMsgAfd\Mailslot\NamedPipe\Pipe\\Device\\\.\\\?\\??\\\.\unc\\\?\unc\\??\unc\\\?\TSD_VOLUME\??\TSD_VOLUME\\.\TSD_VOLUME%s\*Temp_Docerr_SCDTTempTKStsdocbakWinPatchfilesMailsLeaveMailsTempmails\\GetComputerNameExWGetComputerNameExAexplorer.exeExplorer.exe%s"%s" %sScreen-saverScreenSaverDisconnectWinlogonGetCompressedFileSizeWtooltips_class32%s%sGetLastInputInfoUser32.dll%d%s=|%s=LockWorkStationImmDisableIMEImm32.dllNoModifyNoRepairDisplayIconDisplayVersionInstallDatePublisherDisplayNameUninstallStringSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSetFilePointerExA:CertNameToStrWcrypt32.dllWTHelperGetProvCertFromChainWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataWinVerifyTrustExwintrust.dllsign[%s] CKDigitalSignature::IsSigned WinVerifyTrust err[0x%x]CKDigitalSignature::GetSignName dwRetCode(0x%x) wszInfo(%s)CKDigitalSignature::GetSignName 6CKDigitalSignature::GetSignName 5CKDigitalSignature::GetSignName 4CKDigitalSignature::GetSignName 3CKDigitalSignature::GetSignName 2CKDigitalSignature::GetSignName 1CKDigitalSignature::GetSignNameSecurityCKSecurity::AddAccountMask [####] [ret: %d] [Path: %s] [Name: %s] [Mask: %08x] [Sid: %08x]CKSecurity::AddAccountMask2 [####] [ret: %d] [Path: %s] [Mask: %08x] [Name: %s] [Sid: %08x]NULLCKSecurity::AddEveryoneMask [####] [ret: %d] [Path: %s] [Mask: %08x] [Sid: %08x]S-1-15-2-1S-1-15-2-2CKSecurity::AddAccountMask [####] [Sel] [ret: %d] [myerror: %d] [Path: %s] [Mask: %08x] [Sid: %08x]CKSecurity::GetSid [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetSid2 [####] [ret: %d] [myerror: %d] [Name: %s] [Sid: %08x]CKSecurity::GetEveryoneSid [####] [ret: %d] [myerror: %d] [Sid: %08x]S-1-1-0CKSecurity::GetSd [####] [ret: %d] [myerror: %d] [Path: %s] [Sd: %08x]CKSecurity::SetSd [####] [ret: %d] [Path: %s] [Sd: %08x]CKSecurity::IsDenyInSd [####] [ret: %d] [myerror: %d] [Sd: %08x]CKSecurity::IsInSd [####] [ret: %d] [myerror: %d] [Sd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopySd [####] [ret: %d] [myerror: %d] [SrcSd: %08x] [DstSd: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::GetAcl [####] [ret: %d] [Sd: %08x] [Acl: %08x] [b: %08x]CKSecurity::SetAcl [####] [ret: %d] [Acl: %08x] [Sd: %08x]CKSecurity::CopyAcl [####] [ret: %d] [myerror: %d] [Sd: %08x] [Acl: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::CopyAcl [####] [Inner] [ret: %d] [myerror: %d] [SrcAcl: %08x] [DstAcl: %08x] [b: %08x] [Sid: %08x] [Mask: %08x]CKSecurity::IsDenyInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Index: %d]CKSecurity::IsInAcl [####] [Inner] [ret: %d] [myerror: %d] [Acl: %08x] [Sid:
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: EnumSystemLocalesA,17_2_0044C00F
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: EnumSystemLocalesA,17_2_0044C29A
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: EnumSystemLocalesA,17_2_0044C3AD
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoA,17_2_0044C5A1
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,17_2_0044E9A3
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoA,MultiByteToWideChar,17_2_0044EA60
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,17_2_0044EAB6
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoW,WideCharToMultiByte,17_2_0044EB79
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,17_2_0044BE3A
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,18_2_0042E4BA
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: EnumSystemLocalesA,18_2_0042E68F
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: EnumSystemLocalesA,18_2_0042E91A
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: EnumSystemLocalesA,18_2_0042EA2D
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoA,18_2_0042EC21
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,18_2_00431023
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoA,MultiByteToWideChar,18_2_004310E0
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,18_2_00431136
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: GetLocaleInfoW,WideCharToMultiByte,18_2_004311F9
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,19_2_1003F57A
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: EnumSystemLocalesA,19_2_1003F74F
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: EnumSystemLocalesA,19_2_1003F9DA
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: EnumSystemLocalesA,19_2_1003FAED
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoA,19_2_1003FCE1
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,19_2_10041FD5
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoA,MultiByteToWideChar,19_2_10042092
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,19_2_100420E8
                Source: C:\Windows\SysWOW64\winrdlv3.exeCode function: GetLocaleInfoW,WideCharToMultiByte,19_2_100421AB
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfb1ea21-1324-4f57-bc1d-434ef4bf806e VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fad12352-7d0a-429b-8c04-8fc46cba154e VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\systecv3.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\systecv3.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\wimserv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: \Device\CdRom0\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\winrdlv3.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\833722f7-cd47-4ad9-9371-17645a7b5759 VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cf438fea-2ef3-4394-9563-816b66bc10e0 VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2e1d3608-9c04-4d44-a577-4dd26dc04e1b VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\systecv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\systecv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\00adcd52-9283-43d0-a14f-f3ed3b4d05ef VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\d37ef516-8223-4430-a7cc-9979a03a32a3 VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\22dc806b-a927-484d-8d56-5320984dde33 VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System.wim VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9588ae55-652c-4a4b-8966-e6ee5ef236d4 VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\systecv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe VolumeInformation
                Source: C:\Windows\SysWOW64\Dism.exeQueries volume information: C:\Users\user\AppData\Local\Temp\System VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\7z.exeCode function: 6_2_001D8774 GetSystemTimeAsFileTime,6_2_001D8774
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_004A2F10 GetUserNameA,17_2_004A2F10
                Source: C:\Program Files (x86)\Common Files\System\systecv3.exeCode function: 17_2_00448D4B GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,17_2_00448D4B
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeCode function: 0_2_00405D24 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D24
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Modifies the windows firewall
                Source: C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
                Uses netsh to modify the Windows network and firewall settings
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628749468.0000000010B9C000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: AntiVirus\kvxp.kxp
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628242473.0000000010B16000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: \rav\ccenter.exe
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628749468.0000000010B9C000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: KvXP.kxp
                Source: systecv3.exe, winrdgv3.exeBinary or memory string: ulibcfg.exe
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628749468.0000000010B9C000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: KAV32.EXE
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628749468.0000000010B9C000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: nod32.exe
                Source: systecv3.exe, winrdgv3.exeBinary or memory string: ravmond.exe
                Source: 7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628749468.0000000010B9C000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: AntiVirus\KVSrvXP.exe
                Source: C:\Windows\SysWOW64\winrdlv3.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter : SELECT * FROM AntiVirusProduct
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00556612 CreateBindCtx,lstrlenW,WideCharToMultiByte,lstrlenA,CoTaskMemFree,18_2_00556612
                Source: C:\Program Files (x86)\Common Files\System\winrdgv3.exeCode function: 18_2_00555F9D lstrlenA,MultiByteToWideChar,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,18_2_00555F9D

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Windows Management Instrumentation                		2
                LSASS Driver                		2
                LSASS Driver                		2
                Disable or Modify Tools                		1
                Input Capture                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomains1
                Replication Through Removable Media                		12
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory11
                Peripheral Device Discovery                		Remote Desktop Protocol1
                Screen Capture                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                Command and Scripting Interpreter                		2
                Valid Accounts                		2
                Valid Accounts                		3
                Obfuscated Files or Information                		Security Account Manager1
                Account Discovery                		SMB/Windows Admin Shares1
                Input Capture                		SteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts12
                Service Execution                		33
                Windows Service                		21
                Access Token Manipulation                		1
                DLL Side-Loading                		NTDS1
                System Service Discovery                		Distributed Component Object Model1
                Clipboard Data                		Protocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchd1
                Registry Run Keys / Startup Folder                		33
                Windows Service                		1
                File Deletion                		LSA Secrets5
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts12
                Process Injection                		121
                Masquerading                		Cached Domain Credentials38
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                Registry Run Keys / Startup Folder                		2
                Valid Accounts                		DCSync11
                Query Registry                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
                Virtualization/Sandbox Evasion                		Proc Filesystem271
                Security Software Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow3
                Virtualization/Sandbox Evasion                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                Process Injection                		Network Sniffing3
                Process Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                Regsvr32                		Input Capture1
                Application Window Discovery                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
                System Owner/User Discovery                		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1443624 Sample: #U8fdd#U89c4#U540d#U5355.exe Startdate: 18/05/2024 Architecture: WINDOWS Score: 100 85 Multi AV Scanner detection for submitted file 2->85 87 Yara detected AntiVM3 2->87 89 Found evasive API chain (may stop execution after checking mutex) 2->89 91 Found stalling execution ending in API Sleep call 2->91 8 #U8fdd#U89c4#U540d#U5355.exe 81 2->8         started        12 winrdgv3.exe 2->12         started        14 wimmount.sys 2->14         started        16 6 other processes 2->16 process3 file4 75 C:\Users\user\AppData\Local\Temp\7z.exe, PE32 8->75 dropped 77 C:\Program Files (x86)\...\winrdgv3.exe, PE32 8->77 dropped 79 C:\Windows\System32\winwdgv364.dll, PE32+ 8->79 dropped 81 6 other files (none is malicious) 8->81 dropped 115 Modifies the windows firewall 8->115 18 7z.exe 9 8->18         started        22 7z.exe 6 8->22         started        24 Dism.exe 10 5 8->24         started        28 6 other processes 8->28 26 winrdlv3.exe 12->26         started        signatures5 process6 file7 53 C:\Windows\bakwdgv364.sys, PE32+ 18->53 dropped 55 C:\Windows\bakwdgv3.sys, PE32 18->55 dropped 57 C:\Windows\bakstec3.sys, PE32 18->57 dropped 65 4 other files (3 malicious) 18->65 dropped 93 Sample is not signed and drops a device driver 18->93 30 conhost.exe 18->30         started        59 C:\Windows\SysWOW64\winrdlv3.exe, PE32 22->59 dropped 61 C:\Windows\SysWOW64\winoav3.dll, PE32 22->61 dropped 63 C:\Windows\SysWOW64\bakstec3.sys, PE32 22->63 dropped 67 2 other files (1 malicious) 22->67 dropped 32 conhost.exe 22->32         started        34 wimserv.exe 1 24->34         started        38 conhost.exe 24->38         started        95 Found stalling execution ending in API Sleep call 26->95 97 Drops executables to the windows directory (C:\Windows) and starts them 26->97 99 Contains functionality to detect sleep reduction / modifications 26->99 40 winrdlv3.exe 26->40         started        69 2 other files (none is malicious) 28->69 dropped 101 Uses netsh to modify the Windows network and firewall settings 28->101 103 Tries to open files direct via NTFS file id 28->103 43 netsh.exe 2 28->43         started        45 netsh.exe 2 28->45         started        47 conhost.exe 28->47         started        49 2 other processes 28->49 signatures8 process9 dnsIp10 71 C:\Users\user\AppData\Local\...\winrdgv3.exe, PE32 34->71 dropped 73 C:\Users\user\AppData\Local\...\systecv3.exe, PE32 34->73 dropped 105 Tries to open files direct via NTFS file id 34->105 83 45.125.48.89, 49711, 8237 LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHK Hong Kong 40->83 107 Monitors registry run keys for changes 40->107 109 Enables network access during safeboot for specific services 40->109 111 Registers a service to start in safe boot mode 40->111 113 Checks if the current machine is a virtual machine (disk enumeration) 40->113 51 regsvr32.exe 40->51         started        file11 signatures12 process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                #U8fdd#U89c4#U540d#U5355.exe18%VirustotalBrowse
                #U8fdd#U89c4#U540d#U5355.exe24%ReversingLabs

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Program Files (x86)\Common Files\System\systecv3.exe4%ReversingLabs
                C:\Program Files (x86)\Common Files\System\systecv3.exe4%VirustotalBrowse
                C:\Program Files (x86)\Common Files\System\winrdgv3.exe4%ReversingLabs
                C:\Program Files (x86)\Common Files\System\winrdgv3.exe4%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\7z.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\7z.dll0%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\7z.exe0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\7z.exe0%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\System\systecv3.exe4%ReversingLabs
                C:\Users\user\AppData\Local\Temp\System\systecv3.exe4%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe4%ReversingLabs
                C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe4%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dll0%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\NsProcess.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\NsProcess.dll0%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\System.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\System.dll1%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\nsExec.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\nsExec.dll0%VirustotalBrowse
                C:\Windows\LInstSvr.exe0%ReversingLabs
                C:\Windows\LInstSvr.exe1%VirustotalBrowse
                C:\Windows\SysWOW64\bakrdgv3.sys4%ReversingLabs
                C:\Windows\SysWOW64\bakrdgv3.sys4%VirustotalBrowse
                C:\Windows\SysWOW64\bakstec3.sys4%ReversingLabs
                C:\Windows\SysWOW64\bakstec3.sys4%VirustotalBrowse
                C:\Windows\SysWOW64\winoav3.dll0%ReversingLabs
                C:\Windows\SysWOW64\winoav3.dll1%VirustotalBrowse
                C:\Windows\SysWOW64\winrdlv3.exe0%ReversingLabs
                C:\Windows\SysWOW64\winrdlv3.exe3%VirustotalBrowse
                C:\Windows\SysWOW64\winwdgv3.dll4%ReversingLabs
                C:\Windows\SysWOW64\winwdgv3.dll4%VirustotalBrowse
                C:\Windows\System32\winwdgv364.dll0%ReversingLabs
                C:\Windows\System32\winwdgv364.dll1%VirustotalBrowse
                C:\Windows\bakoav3.sys0%ReversingLabs
                C:\Windows\bakoav3.sys1%VirustotalBrowse
                C:\Windows\bakrdgv3.sys4%ReversingLabs
                C:\Windows\bakrdgv3.sys4%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
                http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
                http://www.openssl.org/support/faq.html....................0%URL Reputationsafe
                http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                https://curl.haxx.se/docs/http-cookies.html0%URL Reputationsafe
                http://www.openssl.org/support/faq.html0%URL Reputationsafe
                http://www.register-center.com/=C:0%Avira URL Cloudsafe
                http://www.register-center.com/N0%Avira URL Cloudsafe
                http://www.register-center.com/0%Avira URL Cloudsafe
                http://www.register-center.com/xE0%Avira URL Cloudsafe
                https://st.todesk.com/config-center/sync-config?fullUpdate=true0%Avira URL Cloudsafe
                https://st.todesk.com/config-center/sync-config?fullUpdate=false0%Avira URL Cloudsafe
                http://crl3.dp)0%Avira URL Cloudsafe
                http://www.dig.0%Avira URL Cloudsafe
                http://www.register-center.com/N0%VirustotalBrowse
                http://.exe890830CWinPatchInstaller::AddTask0%Avira URL Cloudsafe
                http://www.register-center.com/w0%Avira URL Cloudsafe
                http://www.register-center.com/0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.register-center.com/=C:winrdgv3.exe, 00000012.00000002.1497543172.00000000010F0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nsis.sf.net/NSIS_Error#U8fdd#U89c4#U540d#U5355.exefalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.register-center.com/winrdgv3.exe, 00000012.00000002.1497543172.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.register-center.com/N#U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1484600965.0000000000649000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1483899194.000000000066E000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486796477.0000000000649000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1486891079.0000000000676000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1406208405.000000000408F000.00000004.00000020.00020000.00000000.sdmp, #U8fdd#U89c4#U540d#U5355.exe, 00000000.00000002.1487022338.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89ED4000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003E37000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004101000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004735000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1417551442.0000000004745000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000455C000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000003125000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1444354206.0000000000936000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.register-center.com/xEwinrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.openssl.org/support/faq.html....................#U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000000.1438557027.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1496088763.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000012.00000000.1442175571.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdlv3.exe, 00000013.00000002.2623324896.000000001019F000.00000002.00000001.01000000.00000013.sdmp, winrdlv3.exe, 00000014.00000002.2627709420.0000000010991000.00000002.00000001.01000000.00000014.sdmp, winrdgv3.exe, 00000015.00000002.1470129657.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000015.00000000.1449479022.0000000000566000.00000002.00000001.01000000.00000011.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000527C000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.dr, winwdgv3.dll.8.drfalse
                • URL Reputation: safe
                		unknown
                https://st.todesk.com/config-center/sync-config?fullUpdate=trueservicephqghume_2023_09_23.log.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl3.dp)winrdgv3.exe, 00000012.00000002.1497187127.00000000008C7000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorError#U8fdd#U89c4#U540d#U5355.exefalse
                • URL Reputation: safe
                		unknown
                https://st.todesk.com/config-center/sync-config?fullUpdate=falseservicephqghume_2023_09_23.log.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.dig.winrdlv3.exe, 00000013.00000002.2620234829.0000000000562000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://.exe890830CWinPatchInstaller::AddTask7z.exe, 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2628944513.0000000010C34000.00000008.00000001.01000000.00000014.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.register-center.com/wwinrdlv3.exe, 00000014.00000002.2622011718.0000000000E59000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://curl.haxx.se/docs/http-cookies.html7z.exe, 00000006.00000003.1419070470.0000000003E37000.00000004.00001000.00020000.00000000.sdmp, winrdlv3.exe, 00000014.00000002.2629479273.0000000010CAA000.00000008.00000001.01000000.00000014.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.openssl.org/support/faq.html#U8fdd#U89c4#U540d#U5355.exe, 00000000.00000003.1403088012.00000000040AE000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469806614.0000020C89D5E000.00000004.00000020.00020000.00000000.sdmp, wimserv.exe, 00000005.00000003.1469804953.0000020C89E35000.00000004.00000020.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000458D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.000000000435D000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000006.00000003.1419070470.0000000004123000.00000004.00001000.00020000.00000000.sdmp, 7z.exe, 00000008.00000003.1428707960.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, systecv3.exe, systecv3.exe, 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000000.1438557027.00000000005DF000.00000002.00000001.01000000.0000000F.sdmp, systecv3.exe, 00000011.00000003.1440074983.000000000245B000.00000004.00000020.00020000.00000000.sdmp, winrdgv3.exe, 00000012.00000002.1496088763.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000012.00000000.1442175571.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdlv3.exe, 00000013.00000002.2623324896.000000001019F000.00000002.00000001.01000000.00000013.sdmp, winrdlv3.exe, 00000014.00000002.2627709420.0000000010991000.00000002.00000001.01000000.00000014.sdmp, winrdgv3.exe, 00000015.00000002.1470129657.0000000000566000.00000002.00000001.01000000.00000011.sdmp, winrdgv3.exe, 00000015.00000000.1449479022.0000000000566000.00000002.00000001.01000000.00000011.sdmp, Dism.exe, 00000017.00000003.1468203772.000000000527C000.00000004.00000020.00020000.00000000.sdmp, systecv3.exe.5.drfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                45.125.48.89
                		unknownHong Kong
                		132325LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHKfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1443624
                Start date and time:2024-05-18 03:35:48 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 10m 35s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:32
                Number of new started drivers analysed:3
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:#U8fdd#U89c4#U540d#U5355.exe
                renamed because original name is a hash value
                Original Sample Name:.exe
                Detection:MAL
                Classification:mal100.evad.winEXE@42/95@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 95%
                • Number of executed functions: 123
                • Number of non-executed functions: 286
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                • Report size getting too big, too many NtEnumerateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHKOtcfX6j1KC.exeGet hashmaliciousUnknownBrowse
                • 103.71.154.163
                OtcfX6j1KC.exeGet hashmaliciousUnknownBrowse
                • 103.71.154.163
                Ooseha.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.243
                file.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.243
                28uAna2h01.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.243
                P3oBHu3d3E.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.244
                DHL_AWB_907853880911.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.59
                Pre_Qualification_Doc.exeGet hashmaliciousFormBookBrowse
                • 103.71.154.59
                FT_-_007272023.exeGet hashmaliciousFormBook, NSISDropperBrowse
                • 103.71.154.100
                ACp6pRv2ao.elfGet hashmaliciousMiraiBrowse
                • 103.193.174.196

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Program Files (x86)\Common Files\System\systecv3.exesetup#U67e5#U770b.exeGet hashmaliciousUnknownBrowse
                  C:\Program Files (x86)\Common Files\System\winrdgv3.exesetup#U67e5#U770b.exeGet hashmaliciousUnknownBrowse

                    Created / dropped Files

                    C:\Program Files (x86)\Common Files\System\systecv3.exe

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2421224
                    Entropy (8bit):6.490220533880386
                    Encrypted:false
                    SSDEEP:24576:mrmoCH/siu9xQBvJ4TyKyCdgjBXj0jHy3WBZ3cRDusH192mdoEtPg+61zpw94I25:mhxaM+7g+Kzq4I28/1eKle7mLXyn0Lw
                    MD5:B9E0A7CBD7FDB4D179172DBDD453495A
                    SHA1:7F1B18A2BEE7DEFA6DB4900982FD3311AABED50D
                    SHA-256:CB72B724C5F57E83CC5BC215DD522C566E0EA695B9E3D167EED9BE3F18D273CE
                    SHA-512:720985495B67E87F6ECF62268D7DC8FECDB7C06CF9606CE1A12CE4EA741DD3D46A759420E02EC54BC6E96E49D37A2E19AC307093B1228C01914C8E632A8D373C
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Joe Sandbox View:
                    • Filename: setup#U67e5#U770b.exe, Detection: malicious, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................4.............................9...................|...}.......Rich............PE..L.....lc..........................................@...........................%......q%.....................................XX!.@.....%.H...........h.$..Q.......... ................................................................................text...b........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc...H.....%.......$.............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Common Files\System\winrdgv3.exe

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1802728
                    Entropy (8bit):6.520593089987922
                    Encrypted:false
                    SSDEEP:24576:I1iQzjPLwVa0gzIkUeSr18gU9W36RO5TsHKGaXDx0hl:Iz5zISSrqW36I7FXDx0hl
                    MD5:97AC3EF2E098C4CB7DD6EC1D14DC28F1
                    SHA1:3E78E87EEFE45F8403E46D94713B6667AEE6D9C9
                    SHA-256:A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
                    SHA-512:693E90DA2581306A1F9BB117142429301C7DC28A8CAF623C4DFC21F735C53C4502E2B58A5EBDBD8C568DFD3393D1687428F1934F4C28B4FC715EB8F856AC02CD
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Joe Sandbox View:
                    • Filename: setup#U67e5#U770b.exe, Detection: malicious, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.........................................w......?.....?....3.....Rich...........................PE..L.....lc.................P...................`....@.................................D........................................"..........P...........h0...Q...........i...............................................`...............................text....F.......P.................. ..`.rdata.......`.......`..............@..@.data.......`.......`..............@....rsrc...P............ ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\0

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text, with CRLF, CR line terminators
                    Category:modified
                    Size (bytes):416
                    Entropy (8bit):4.2129365121397795
                    Encrypted:false
                    SSDEEP:6:ZJocgvCIN2By1sZ23fFMWxRAi2OYOd0Cyp6d0CyxtqX4E8NGN8e:rIN2lcNBrXSQ0Cyp80CyGXB8NGNT
                    MD5:4565896E7782CE2C11EA54223A175415
                    SHA1:B92ECE48B886A3C2D2619CD22F105CB51D6F9917
                    SHA-256:1A6B0335B73ACF1AF1448BDF25889F77C3FC851DD3CA6A608B2566E244BB5BC8
                    SHA-512:21913C1E0BEF7CF218AC5A655197ED361691BE1D4191DE0762FED148D1B2F3159A216617428E0C069CCFBCD2E278D6C56581353075F3F31B5233FD3BBB8F1667
                    Malicious:false
                    Preview:..Deployment Image Servicing and Management tool..Version: 10.0.19041.746....Image File : C:\Users\user\AppData\Local\Temp\System.wim..Image Index : 1..Saving image...[===========================57.0%= ] ...[==========================100.0%==========================] ..Unmounting image...[==========================100.0%==========================] ..The operation completed successfully...

                    C:\Users\user\AppData\Local\Temp\00adcd52-9283-43d0-a14f-f3ed3b4d05ef

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:x86 executable
                    Category:dropped
                    Size (bytes):704
                    Entropy (8bit):3.5728578030546716
                    Encrypted:false
                    SSDEEP:12:Rsw7gl/NtCUVw7Jsw7gl/ERFw7mXyo2zE006SGTVaR7D:2w8NHwqw8EnwKXp7yS5
                    MD5:55068FBE8A91CCAE4A53F2BA839C20DE
                    SHA1:D46991761B96681917A97853ABD659750CAFA822
                    SHA-256:4B112CA40272BE8E4ACBEC70059BE12DD7322AC494501244B920EA52DE6044AE
                    SHA-512:DDFC566DE8DCDAC2716F96846DC6A39BC812A62B70F211488FF8B256535E49B5374FD84FB3951BD68CB3EBC90EED0DB03B062301F1930DD343F554644181F827
                    Malicious:false
                    Preview:H...............................$.......@........... ... ...................$.N........X......................................... ... .....$.....................$.N..............$.......@........... ... ...................$.N........X......................................... ... .....$.....................$.N......h..............................................v.u.....'............................................................ ...............................|..............=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e........... ...............................|.....................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...........

                    C:\Users\user\AppData\Local\Temp\22dc806b-a927-484d-8d56-5320984dde33

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (406), with no line terminators
                    Category:dropped
                    Size (bytes):814
                    Entropy (8bit):3.381266407504656
                    Encrypted:false
                    SSDEEP:24:Q3iXAKMalVE8idpOsGLV+eOsHsGR+pzstdyFdAys:ggjMaX28sGExsHsGEpzsHKNs
                    MD5:F0ECD1412EF28F59932E52F0C856A9B5
                    SHA1:770C3E24F2E78DD0EEB4CD5A8827521963C4894F
                    SHA-256:DD7BF45F567337DC54633A2C2937B77327D40B9C69C55A6D782212EC6201F461
                    SHA-512:148BF130CDAE85272294EBB5B2B4CFED576AC2E4F5F93C5435FC30D05E0D66156FAB1D3493566DF88078A4CFD8EFB468ED3719937E9E82772A65CD7F78F44D36
                    Malicious:false
                    Preview:..<.W.I.M.>.<.T.O.T.A.L.B.Y.T.E.S.>.4.2.2.6.2.7.4.<./.T.O.T.A.L.B.Y.T.E.S.>.<.I.M.A.G.E. .I.N.D.E.X.=.".1.".>.<.N.A.M.E.>.1.<./.N.A.M.E.>.<.D.I.R.C.O.U.N.T.>.0.<./.D.I.R.C.O.U.N.T.>.<.F.I.L.E.C.O.U.N.T.>.2.<./.F.I.L.E.C.O.U.N.T.>.<.T.O.T.A.L.B.Y.T.E.S.>.4.2.2.3.9.5.2.<./.T.O.T.A.L.B.Y.T.E.S.>.<.C.R.E.A.T.I.O.N.T.I.M.E.>.<.H.I.G.H.P.A.R.T.>.0.x.0.1.D.A.A.7.B.E.<./.H.I.G.H.P.A.R.T.>.<.L.O.W.P.A.R.T.>.0.x.E.D.B.3.F.7.E.3.<./.L.O.W.P.A.R.T.>.<./.C.R.E.A.T.I.O.N.T.I.M.E.>.<.L.A.S.T.M.O.D.I.F.I.C.A.T.I.O.N.T.I.M.E.>.<.H.I.G.H.P.A.R.T.>.0.x.0.1.D.A.A.8.C.3.<./.H.I.G.H.P.A.R.T.>.<.L.O.W.P.A.R.T.>.0.x.E.1.9.3.3.0.9.B.<./.L.O.W.P.A.R.T.>.<./.L.A.S.T.M.O.D.I.F.I.C.A.T.I.O.N.T.I.M.E.>.<.H.A.R.D.L.I.N.K.B.Y.T.E.S.>.0.<./.H.A.R.D.L.I.N.K.B.Y.T.E.S.>.<.W.I.M.B.O.O.T.>.0.<./.W.I.M.B.O.O.T.>.<./.I.M.A.G.E.>.<./.W.I.M.>.

                    C:\Users\user\AppData\Local\Temp\2e1d3608-9c04-4d44-a577-4dd26dc04e1b

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Matlab v4 mat-file (little endian) \377\377\377\377x, rows 0, columns 104
                    Category:dropped
                    Size (bytes):400
                    Entropy (8bit):2.394936848073769
                    Encrypted:false
                    SSDEEP:6:a8t7sX51+me2zE0A6tz1ajHTbxUgEZR7DA6t:aMgXrZXzE0RMTVaR7D
                    MD5:9F668DD431B67705B754380187C54A71
                    SHA1:6C89CA32AD4F4C2BCA7FF81F5F4385CD192D3D74
                    SHA-256:7A52DBF9000A9A734000C322D7636F00D4E7938896D3F740D862C1D660EAF67B
                    SHA-512:788259889E61ED5BA12FEC24FBDC2EFA645F9B939E19D88E5CB456833C162190AD1C1521886420A977106B841320CA3B0F5CAA63E2179141DD194FF13061E5BD
                    Malicious:false
                    Preview:........h...............x........................................'............................................................ ................................................=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e................... .......................................................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...................

                    C:\Users\user\AppData\Local\Temp\7z.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1163736
                    Entropy (8bit):6.6207610426809005
                    Encrypted:false
                    SSDEEP:24576:p4K5hK124cWKupj+zEgf94/JEo2BXrXNH6YsPfRQuIeCoFkDeK:p4wKYJuN+zEgoJSaNPpQuIeDkDe
                    MD5:3F78C51A0A5CB5E0536FF63EF3D75E11
                    SHA1:557E55064B161841DA857FC6BC6F408963F82E07
                    SHA-256:4200B6B656C3C7B6447A42632451E2402245815ECCD6F9A3BAFF60585FBB0B0F
                    SHA-512:F4B485A27341E8C163C704BEA4624CC3A9C4C8215790F83B290CE59526E0515A3F4A96BB17623A404F42A7B47A05AD6F912D61D6CD7BF6AD370A2004AE7C48FD
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]...]...]..V...].~.S...]..W...]..Y...].s.....]...\..].~.....]...V.'.]...W...]..A....].e.^...]..A....].......].:.[...]...Y...].Rich..].........PE..L.....<^...........!.........p......3........................................P......\*....@.........................p...y.......d....0...{...............7.......~......................................................<............................text.............................. ..`.rdata..............................@..@.data...............t..............@....sxdata...... .......z..............@....rsrc....{...0...|...|..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\7z.exe

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):309720
                    Entropy (8bit):6.5933657164977
                    Encrypted:false
                    SSDEEP:6144:fdeUJaXYOMqsGXKdFhLOWtE+Q2UsIEgbbe73aTL/VctpuaLyeUeC:fdRVOsfCyE+QPsIEic3k
                    MD5:36A3807A11DF584777165172C71797EE
                    SHA1:FA588A65041D8947FA98E9507C69E43D11B450D2
                    SHA-256:26D550366491EE0FE14F6CBB67C9BAC55300A04B34E92F973A96D00CEF071E5E
                    SHA-512:8D265CFE5ABCDB6B627414786763B1B7099E8DEE52F79B99E768DFC77995EE1139177C5BC26ABAE219216D0540A3C5DAE9ACA8AABE322D737A0509F94D269779
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................n...............c.......t...n............=..........=9...*.....Rich..........PE..L.....<^.................|...$......FM............@.................................H.....@..................................>..x........................7.......-......................................................$............................text....{.......|.................. ..`.rdata..^...........................@..@.data...P'...P.......:..............@....sxdata..............@..............@....rsrc................B..............@..@.reloc..@6.......8...J..............@..B........................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\833722f7-cd47-4ad9-9371-17645a7b5759

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Matlab v4 mat-file (little endian) \377\377\377\377x, rows 0, columns 104
                    Category:dropped
                    Size (bytes):400
                    Entropy (8bit):2.394936848073769
                    Encrypted:false
                    SSDEEP:6:a8t7sX51+me2zE0A6tz1ajHTbxUgEZR7DA6t:aMgXrZXzE0RMTVaR7D
                    MD5:9F668DD431B67705B754380187C54A71
                    SHA1:6C89CA32AD4F4C2BCA7FF81F5F4385CD192D3D74
                    SHA-256:7A52DBF9000A9A734000C322D7636F00D4E7938896D3F740D862C1D660EAF67B
                    SHA-512:788259889E61ED5BA12FEC24FBDC2EFA645F9B939E19D88E5CB456833C162190AD1C1521886420A977106B841320CA3B0F5CAA63E2179141DD194FF13061E5BD
                    Malicious:false
                    Preview:........h...............x........................................'............................................................ ................................................=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e................... .......................................................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...................

                    C:\Users\user\AppData\Local\Temp\9588ae55-652c-4a4b-8966-e6ee5ef236d4

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:x86 executable
                    Category:dropped
                    Size (bytes):704
                    Entropy (8bit):3.5728578030546716
                    Encrypted:false
                    SSDEEP:12:Rsw7gl/NtCUVw7Jsw7gl/ERFw7mXyo2zE006SGTVaR7D:2w8NHwqw8EnwKXp7yS5
                    MD5:55068FBE8A91CCAE4A53F2BA839C20DE
                    SHA1:D46991761B96681917A97853ABD659750CAFA822
                    SHA-256:4B112CA40272BE8E4ACBEC70059BE12DD7322AC494501244B920EA52DE6044AE
                    SHA-512:DDFC566DE8DCDAC2716F96846DC6A39BC812A62B70F211488FF8B256535E49B5374FD84FB3951BD68CB3EBC90EED0DB03B062301F1930DD343F554644181F827
                    Malicious:false
                    Preview:H...............................$.......@........... ... ...................$.N........X......................................... ... .....$.....................$.N..............$.......@........... ... ...................$.N........X......................................... ... .....$.....................$.N......h..............................................v.u.....'............................................................ ...............................|..............=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e........... ...............................|.....................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...........

                    C:\Users\user\AppData\Local\Temp\Config.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Generic INItialization configuration [DrvCeo]
                    Category:dropped
                    Size (bytes):70
                    Entropy (8bit):4.497070968537381
                    Encrypted:false
                    SSDEEP:3:f1AW+DXFBAKV1Kgjy6q3RG/:f1zuFBASAgjy6wi
                    MD5:6DE368531D0C67C2BC1B3A0171A93584
                    SHA1:6C785C65A745D5536FECFA7903E68EFC11480E1D
                    SHA-256:AF8265A7766F14CB49ED3503EDEE7BEA2F8E640B4FBE539324E9F1D46CAFA652
                    SHA-512:2F8FBC626F70389F1F04FE6F40E21FCB6CCDE84147CD530A0DAA81E3454D49F89E44F9EC47B7F47DFDF6C2348D0804F0CE4A9B9BAF76A56F82A34820FFF47E85
                    Malicious:false
                    Preview:[Server]..Host=drvceoup.sysceo.cn..Port=1984..[DrvCeo]..type=netcard..

                    C:\Users\user\AppData\Local\Temp\Download.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):1645
                    Entropy (8bit):5.909461956668875
                    Encrypted:false
                    SSDEEP:48:2/6Ozo7FDVknA9WpYYz5OlwY3KHfy3dH097y7nF:2S0o7FhknmWpY659lHfYH09+7F
                    MD5:C2D04CA7997E87428B9218143525E5EB
                    SHA1:E03FF4F21190CB8BD0250EFC7ABF9F88794CD8E1
                    SHA-256:0AA69253268F6E9F4E1E5775D695E32269662C6BBE41A384C4070634FD26B50C
                    SHA-512:042AE8AAD2008A4421ABB7FB2515D7AE0A884BBFE8AD8F52F71907814D6E15B1BEA79766B13BC6927735DCFC1333D7B599C20E5D4C3D175653564CEF5F034083
                    Malicious:false
                    Preview:.PNG........IHDR..............H-.....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmp:CreateDate="2018-04-18T01:43:51+08:00" xmp:MetadataDate="2018-04-18T01:43:51+08:00" xmp:ModifyDate="2018-04-18T01:43:51+08:00" xmpMM:InstanceID="xmp.iid:9f37837f-dc74-214e-b252-a5ed4cfad703" xmpMM:DocumentID="adobe:docid:photoshop:5b7e6b64-9c32-c344-b3ee-054eb0f6c3f4" xmpMM:OriginalDocumentID="xmp.did:4c63f349-5efd-ae4d-96f4-5e31a4f7d2be" dc:format="image/

                    C:\Users\user\AppData\Local\Temp\Drvceo.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):58
                    Entropy (8bit):4.517042417354859
                    Encrypted:false
                    SSDEEP:3:u3teCJLCWovkJ95iwLoDy:u3tKe95iw6y
                    MD5:9FC5C45BDD7943A750BFB4401C2EC199
                    SHA1:9AC1B05C15D0D4F8401278BC240744A66356AD0E
                    SHA-256:DF2B6032447D99D0A24DF5F751EF87211B1E9F17B2484C41E95B77FE1C234390
                    SHA-512:282EB4A28309123337CE2C6C03D2E6CB39344A7FD526B46A048EA5499AFA16445C34028D3C20B6A6AB0868DBC1645109B986E3D921C7AD7CAF5D4813886251A1
                    Malicious:false
                    Preview:[DrvCeoSet]..ShowMsgBox=off..Autoscan=on..Desktoplnk=off..

                    C:\Users\user\AppData\Local\Temp\LICENSE.electron.txt

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text
                    Category:dropped
                    Size (bytes):1096
                    Entropy (8bit):5.13006727705212
                    Encrypted:false
                    SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                    MD5:4D42118D35941E0F664DDDBD83F633C5
                    SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                    SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                    SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                    Malicious:false
                    Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                    C:\Users\user\AppData\Local\Temp\LInstSvr.7z

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:7-zip archive data, version 0.4
                    Category:dropped
                    Size (bytes):4246584
                    Entropy (8bit):7.99995485367236
                    Encrypted:true
                    SSDEEP:98304:aXQiJSPH5rZSbB90qgJLcHYPqYOy0ejQZdYVDehd/:aXQiuBAV9cnPowakC
                    MD5:F362114C214E69EDD8BFA568DDC7ADF1
                    SHA1:BFF8B437CFF93F7FE4B062E231CFFF433B6C905A
                    SHA-256:68662FBEBF87C6B7FF947B54532E5348A2136C6D9A10CBBCFB01FC7567D3D357
                    SHA-512:02363FDEA5A1AB414E59797F59D52180BC6A7D3E8F95907526F9FD5E3ABD35ED9FF9438507133341DC294569BDE4ACE5F52142E22A267D80F7509C7015A18BD2
                    Malicious:false
                    Preview:7z..'.....il..@.....%.......a+...iT.J_.:$.....U....Y..{.....JTf=#...k.!zh.4...'..n..y.....Ux.F6.C.EI..=.j....c&..na.4.w.5.{.\H,.0.vn.rN.mUK.<h..&,.!......6.....U .Yu.G.............I.ZS...$./Z....>0E.'U|._.n\,'..F.W......Ij9..f../.H.p.....i,v.P2Rz...E.I..(...u..OKd..zp.7?-..Y..I.!..W*z....y....c....kG...8[P<....x...~./.%sgq...T..f.. .a......./..\..5.-....P~..0.iW&..+&&./.).|i....Jy...i`....Q..........3.....?.`......0..]D.-/3;|H.-^.k...k.8r..E..'...%...6..'.....+...l.G..........W.C.J....k..E5..L1............>....7I1\......7=n7......J...c..K....G-;|.YB..x..k.N..y.nn.M...\K.`...S)R...M'%.)......-.56*.bc.Um.c. z....s.g...........L...6t.A....zk...6c...pH.9*..qs.^... ...Zs....<..}...W..WE...L....iM.A...3a.^.W..o'.a.....g..J..7...,..#m.wC.:.v.yh..Q..^....)x..._3..q%.G.!..&._.S.B.#a..1x'".t....x...q.[.f...[l.G.6.g|...3.&...=A.z..1..s+.1....f.2gt.y...!..]_.X...*3....H[...^...I..+.....aP..bBJT..K)c.s.i....;i!..+.L...0q.....{K.n...Pw...O..G

                    C:\Users\user\AppData\Local\Temp\Languages\en_us.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):11742
                    Entropy (8bit):3.594077202686223
                    Encrypted:false
                    SSDEEP:192:Rs5/GxyV15WMiSz88XgR3b4RN188cjwkY7taZuOMbfc20ungKFmWTm2i2tcFo:uVTWMHz88X+3SNGjTde0ugL2i2B
                    MD5:A8C3ECD173022692213259D1058E7DEB
                    SHA1:1F7B3D1372D369C0FD09457F38830EBFA592A49E
                    SHA-256:EC84DEAE11AE936AEF6410A23A5B84FE3DC3315D5C537558336CF6979AFBF9F7
                    SHA-512:63D8A5CB3A57FCC0A57176A75E71C465A8A1514E985B7E78182A3E25AAF71ACBF42E763470A11AEAD60B89A7167DD672EF77BEB51EF3A4DAB599A508D1FD8A17
                    Malicious:false
                    Preview:..[.C.o.n.t.r.o.l.].....B.t.n._.D.r.v.M.a.n.a.g.e.r.=.". . . . . . .D.r.i.v.e.r.(.&.D.).".....B.t.n._.T.o.o.l.s.=.". . . .T.o.o.l.s.(.&.T.).".....B.t.n._.D.o.c.t.o.r.=.". . . . . . .S.e.r.v.i.c.e.s.(.&.U.).".....B.t.n._.S.h.o.p.=.". . . . . . .S.h.o.p.(.&.S.).".....B.t.n._.S.c.a.n.=.S.t.a.r.t. .S.c.a.n.(.&.C.).....L.a.b._.S.c.a.n.T.i.p.=.S.t.a.r.t. .S.c.a.n.,.D.r.i.v.e.r. .U.p.d.a.t.e.r.....L.a.b._.L.i.s.t.v._.P.c.n.a.m.e.=.N.a.m.e.....L.a.b._.L.i.s.t.v._.D.r.v.v.e.r.=.F.i.l.e.V.e.r.....L.a.b._.L.i.s.t.v._.D.r.v.d.a.t.e.=.F.i.l.e.D.a.t.e.....L.a.b._.A.g.a.i.n.S.c.a.n.=.A.g.a.i.n. .S.c.a.n.....L.a.b._.S.e.r.r.o.r._.A.g.a.i.n.S.c.a.n.=.R.e.t.r.y.....B.t.n._.S.e.t.u.p.=.I.n.s.t.a.l.l. .A.l.l.(.&.P.).....R.b._.D.c.S.t.a.b.l.e.=.S.t.a.b.l.e.....R.b._.D.c.N.e.w.=.N.e.w.....L.a.b._.P.E.I.t.i.p.1.=.I.n.s.t.a.l.l. .t.o. .t.h.e. .t.a.r.g.e.t. .s.y.s.t.e.m.....L.a.b._.P.E.I.t.i.p.2.=.P.l.e.a.s.e. .s.e.l.e.c.t. .t.h.e. .t.a.r.g.e.t. .s.y.s.t.e.m. .d.r.i.v.e. .l.e.t.t.e.r. .t.o. .l.o.a.d. .t.h.e. .

                    C:\Users\user\AppData\Local\Temp\Languages\zh_cn.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8672
                    Entropy (8bit):5.362574426571773
                    Encrypted:false
                    SSDEEP:192:R9Er87LoXR+/2jUAKtKy1GgTag8kWRjmLz77s0RI+VwfBA9PAKcrSpZ2J72067:wXR+/JAKtFTahU7XInfeuGZ2J72V7
                    MD5:1855EF58C6EA68F97B7B06F934A57066
                    SHA1:C72B1A2E476898DA3B392F21C507DB098E0E7ABA
                    SHA-256:24C7AF10430FB54133E2AD32704E3969B7C65BBE34949287E00585B8751C3D77
                    SHA-512:D40C9178865D83206B248D8DE26EA8D9181A129F26BF57AA4AB27B9421E0BB47C2492B051274A0B203D8F1EEA4571B2F6907A5F5F67C850776E07C031EF9A7A7
                    Malicious:false
                    Preview:..[.C.o.n.t.r.o.l.].....B.t.n._.D.r.v.M.a.n.a.g.e.r.=.". . . . . . .q..R.{.t(.&.D.).".....B.t.n._.T.o.o.l.s.=.". . . ..]wQ.{(.&.T.).".....B.t.n._.D.o.c.t.o.r.=.". . . . . . .5u...@b(.&.U.).".....B.t.n._.S.h.o.p.=.". . . . . . ..[.eFU.W(.&.S.).".....B.t.n._.S.c.a.n.=..zsS.hKm(.&.C.).....L.a.b._.S.c.a.n.T.i.p.=..zsSSO.h...f.elx.Nq..R....L.a.b._.L.i.s.t.v._.P.c.n.a.m.e.=....Y.T.y....L.a.b._.L.i.s.t.v._.D.r.v.v.e.r.=..e.NHr,g....L.a.b._.L.i.s.t.v._.D.r.v.d.a.t.e.=..e.N.e.g....L.a.b._.A.g.a.i.n.S.c.a.n.=...e.hKm....L.a.b._.S.e.r.r.o.r._.A.g.a.i.n.S.c.a.n.=..pdk......B.t.n._.S.e.t.u.p.=..N...[.(.&.P.).....R.b._.D.c.S.t.a.b.l.e.=.3z.[q..R....R.b._.D.c.N.e.w.=..g.eq..R....L.a.b._.P.E.I.t.i.p.1.=.q..R...0R.v.h.|.~!j._....L.a.b._.P.E.I.t.i.p.2.=......b.v.h.|.~.v&{.R}.q..R../e.cS_MRck(W.O(u.v.|.~.TsS.\.r..v.|.~.0....L.a.b._.O.s.D.r.i.v.e.=..|.~.v&{:.....C.b._.D.e.p.l.o.y.L.o.a.d.d.c.=..r..e.R}.....L.a.b._.F.i.x.e.d.D.r.i.v.e.=..V.[.v&{:.....C.b._.S.u.e.f.i.=..QU.E.F.I. .W.i.n.7. .6.4.MO

                    C:\Users\user\AppData\Local\Temp\Languages\zh_hk.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8704
                    Entropy (8bit):5.364919152132083
                    Encrypted:false
                    SSDEEP:192:RgErrhYQVplHC9AGWNiBmpPntFn15Mc/89Ve/BLwX7DaFqJoNB5yJT42k2U:JplHCVWABA5MRDaIoRt2k2U
                    MD5:5F821627DD9440B1B3CE9F7E5DC6DF97
                    SHA1:287B889B6FA622893CA3422124318F4C8FE6AB42
                    SHA-256:231D77CF9FA771D2BECE030C61427B454A51565B21E52B90A5CCE97E1881EFDC
                    SHA-512:8C30D64C77405A2DC1F6D4F9739EE30F190146FD269BBE733C7C92A367D2400A71348BB0363E2A5A8DC171C8168C5956FF77D8E413532CB35EA5957148994969
                    Malicious:false
                    Preview:..[.C.o.n.t.r.o.l.].....B.t.n._.D.r.v.M.a.n.a.g.e.r.=.". . . . . . .E..R.{.t(.&.D.).".....B.t.n._.T.o.o.l.s.=.". . . ..]wQ.{(.&.T.).".....B.t.n._.D.o.c.t.o.r.=.". . . . . . ...f.:.@b(.&.U.).".....B.t.n._.S.h.o.p.=.". . . . . . ..[.eFU.^(.&.S.).".....B.t.n._.S.c.a.n.=..zsS.j,n(.&.C.).....L.a.b._.S.c.a.n.T.i.p.=..zsS.j,n,..f.elx.NE..R....L.a.b._.L.i.s.t.v._.P.c.n.a.m.e.=..n..T1z....L.a.b._.L.i.s.t.v._.D.r.v.v.e.r.=..e.NHr,g....L.a.b._.L.i.s.t.v._.D.r.v.d.a.t.e.=..e.N.e.g....L.a.b._.A.g.a.i.n.S.c.a.n.=...e.j,n....L.a.b._.S.e.r.r.o.r._.A.g.a.i.n.S.c.a.n.=..dk.f.....B.t.n._.S.e.t.u.p.=..Nu..[.(.&.P.).....R.b._.D.c.S.t.a.b.l.e.=.iz.[!j._....R.b._.D.c.N.e.w.=..g.e!j._....L.a.b._.P.E.I.t.i.p.1.=.E..R...0R.v.j.|q}!j._....L.a.b._.P.E.I.t.i.p.2.=..x..d.v.j.|q}.x.v.R..E..R../e.cvuMRck(W.O(u.v.|q}.TsS.\.r..v.|q}.0....L.a.b._.O.s.D.r.i.v.e.=..|q}.v&{:.....C.b._.D.e.p.l.o.y.L.o.a.d.d.c.=..r.Bf.R......L.a.b._.F.i.x.e.d.D.r.i.v.e.=..V.[.v&{:.....C.b._.S.u.e.f.i.=..zlU.E.F.I. .W.i.n.7. .6.4.MO

                    C:\Users\user\AppData\Local\Temp\Languages\zh_tw.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8676
                    Entropy (8bit):5.36831529343714
                    Encrypted:false
                    SSDEEP:192:RgErrhYQVplHC9AGWNiBmpPntFn15Mc/89Ke/BLwX7DaFqJoNB5yJT42k2U:JplHCVWABA5MeDaIoRt2k2U
                    MD5:31218B29837F9DC19061FDEBF9329208
                    SHA1:ABBF111CEC6390FBCA183D3A5326A59867DD8328
                    SHA-256:15E8FE2F222048DACB4C732CEC7B693A80B448E541165FBA315F7276123E89E9
                    SHA-512:A049146A25BC9D783367A692490AAEBD69ABA1BE5611A98D6EEC08A71E07FE4325838720804D9A5E4C627BF6AC3A591F574482A757F9AD7A491D837D65FACB82
                    Malicious:false
                    Preview:..[.C.o.n.t.r.o.l.].....B.t.n._.D.r.v.M.a.n.a.g.e.r.=.". . . . . . .E..R.{.t(.&.D.).".....B.t.n._.T.o.o.l.s.=.". . . ..]wQ.{(.&.T.).".....B.t.n._.D.o.c.t.o.r.=.". . . . . . ...f.:.@b(.&.U.).".....B.t.n._.S.h.o.p.=.". . . . . . ..[.eFU.^(.&.S.).".....B.t.n._.S.c.a.n.=..zsS.j,n(.&.C.).....L.a.b._.S.c.a.n.T.i.p.=..zsS.j,n,..f.elx.NE..R....L.a.b._.L.i.s.t.v._.P.c.n.a.m.e.=..n..T1z....L.a.b._.L.i.s.t.v._.D.r.v.v.e.r.=..e.NHr,g....L.a.b._.L.i.s.t.v._.D.r.v.d.a.t.e.=..e.N.e.g....L.a.b._.A.g.a.i.n.S.c.a.n.=...e.j,n....L.a.b._.S.e.r.r.o.r._.A.g.a.i.n.S.c.a.n.=..dk.f.....B.t.n._.S.e.t.u.p.=..Nu..[.(.&.P.).....R.b._.D.c.S.t.a.b.l.e.=.iz.[!j._....R.b._.D.c.N.e.w.=..g.e!j._....L.a.b._.P.E.I.t.i.p.1.=.E..R...0R.v.j.|q}!j._....L.a.b._.P.E.I.t.i.p.2.=..x..d.v.j.|q}.x.v.R..E..R../e.cvuMRck(W.O(u.v.|q}.TsS.\.r..v.|q}.0....L.a.b._.O.s.D.r.i.v.e.=..|q}.v&{:.....C.b._.D.e.p.l.o.y.L.o.a.d.d.c.=..r.Bf.R......L.a.b._.F.i.x.e.d.D.r.i.v.e.=..V.[.v&{:.....C.b._.S.u.e.f.i.=..zlU.E.F.I. .W.i.n.7. .6.4.MO

                    C:\Users\user\AppData\Local\Temp\System.wim

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Windows imaging (WIM) image v1.13, reparse point fixup
                    Category:dropped
                    Size (bytes):4227088
                    Entropy (8bit):6.509290465216342
                    Encrypted:false
                    SSDEEP:49152:PhxaM+7g+Kzq4I28/1eKle7mLXyn0LLz5zISSrqW36I7FXDx0hz:PhxBJq4I28/1eKlemBz50OWz7W
                    MD5:B84336CF280F1E300D235D1CACB5E662
                    SHA1:E514F3DF7567E67D1C22E5F03CDFF6A779A30CF5
                    SHA-256:BBCDBBA7D0CC2EF19861BA24305BEEBBA5C198BAA1500E2A97BC27FB4B736FEB
                    SHA-512:0EE0C742EBF1BFBFE7485946F18D56BC02E009C2E25BDA160CCE086F1A85B6FCFB72771F58A1698265052C1DBCC29C8070F4CE571B1E9DD76C0AE9086CBA08E1
                    Malicious:false
                    Preview:MSWIM...................ik0...H.k.U.fEe................L|@......................|@.............................................................................................................................MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................4.............................9...................|...}.......Rich............PE..L.....lc..........................................@...........................%......q%.....................................XX!.@.....%.H...........h.$..Q.......... ................................................................................text...b........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc...H.....%.......$.............@..@........................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\System:$WIMMOUNTDATA

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):416
                    Entropy (8bit):3.2595647105004093
                    Encrypted:false
                    SSDEEP:6:OXvVtElVzUEZ+lX1PkROr1GlmVzUEZ+lX1PkR1TlmVzUEZ+lX1MFVEPn+SkuIBaT:uNeQ1Pk01GlGQ1PkzTlGQ1f+rBaKW
                    MD5:DAEFEB0213279B42AFCA0C0290F12E6E
                    SHA1:4DE0A0E19DCFBF279085B95A83BF2737BCCD0C9B
                    SHA-256:597346A6E6BE8F177A1006F0DC63CB8734A2E58BAE7041FCBD760092E860A690
                    SHA-512:D0CCA01603BEEC0FF5D75E6AF096FA573CF6C0CCB837CAFC0FB1B386052285AD47C39BA0A2B6859FCDBAFB3F041212C559316BAD922962CB79EC31464B841FE3
                    Malicious:false
                    Preview:................IQz...AN...R...............Z...C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.S.y.s.t.e.m...w.i.m.............R...C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.S.y.s.t.e.m.............F...C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.........................H...H...........C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.D.I.S.M.\.d.i.s.m...l.o.g...

                    C:\Users\user\AppData\Local\Temp\System\systecv3.exe

                    Download File
                    Process:C:\Windows\System32\wimserv.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2421224
                    Entropy (8bit):6.490220533880386
                    Encrypted:false
                    SSDEEP:24576:mrmoCH/siu9xQBvJ4TyKyCdgjBXj0jHy3WBZ3cRDusH192mdoEtPg+61zpw94I25:mhxaM+7g+Kzq4I28/1eKle7mLXyn0Lw
                    MD5:B9E0A7CBD7FDB4D179172DBDD453495A
                    SHA1:7F1B18A2BEE7DEFA6DB4900982FD3311AABED50D
                    SHA-256:CB72B724C5F57E83CC5BC215DD522C566E0EA695B9E3D167EED9BE3F18D273CE
                    SHA-512:720985495B67E87F6ECF62268D7DC8FECDB7C06CF9606CE1A12CE4EA741DD3D46A759420E02EC54BC6E96E49D37A2E19AC307093B1228C01914C8E632A8D373C
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................4.............................9...................|...}.......Rich............PE..L.....lc..........................................@...........................%......q%.....................................XX!.@.....%.H...........h.$..Q.......... ................................................................................text...b........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc...H.....%.......$.............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\System\winrdgv3.exe

                    Download File
                    Process:C:\Windows\System32\wimserv.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1802728
                    Entropy (8bit):6.520593089987922
                    Encrypted:false
                    SSDEEP:24576:I1iQzjPLwVa0gzIkUeSr18gU9W36RO5TsHKGaXDx0hl:Iz5zISSrqW36I7FXDx0hl
                    MD5:97AC3EF2E098C4CB7DD6EC1D14DC28F1
                    SHA1:3E78E87EEFE45F8403E46D94713B6667AEE6D9C9
                    SHA-256:A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
                    SHA-512:693E90DA2581306A1F9BB117142429301C7DC28A8CAF623C4DFC21F735C53C4502E2B58A5EBDBD8C568DFD3393D1687428F1934F4C28B4FC715EB8F856AC02CD
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.........................................w......?.....?....3.....Rich...........................PE..L.....lc.................P...................`....@.................................D........................................"..........P...........h0...Q...........i...............................................`...............................text....F.......P.................. ..`.rdata.......`.......`..............@..@.data.......`.......`..............@....rsrc...P............ ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\app_cancel.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 42 x 14, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):3939
                    Entropy (8bit):6.4055948873455275
                    Encrypted:false
                    SSDEEP:96:FSFo7FPWlknGbOJqHUfURuFID9AHNf5R5R5R5R5R54xcHoBhHtURHEgIURHtrMWS:FSK7FAknWZHiCCWcIBhN040+WU24zl
                    MD5:A3AFAEE8ED97669174E333565A81A9E0
                    SHA1:04931E0C918FF55D972699525C011731823F5392
                    SHA-256:3132CF46D717DF504C5E9F1CFA2502BE9AA9499C3520A9F245354B6C4664871F
                    SHA-512:93CCEFFF0E8816EB4E4469EB592E6AE444335373ABE1C0209DAA78A90B32C17C83368820DF6FA2CEC213AEABBAEFC55E7BFDA78CDB7CAD20356D28695719B09D
                    Malicious:false
                    Preview:.PNG........IHDR...*.........Y..{....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2023-09-27T00:08:05+08:00" xmp:MetadataDate="2023-09-27T00:23:06+08:00" xmp:ModifyDate="2023-09-27T00:23:06+08:00" photoshop:ColorMode="3" dc:format="image/png" xmpMM:InstanceID="xmp.iid:4011951

                    C:\Users\user\AppData\Local\Temp\app_default.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):3603
                    Entropy (8bit):6.495436480868015
                    Encrypted:false
                    SSDEEP:96:SSCo7F8knGLWaOJIDo/y9AEHoTHLHEgAHMPNhmPEN5ci:SSz7F8knETzITrwQxNyi
                    MD5:5FF509D9B2D96AACBBBABC80769C6A6D
                    SHA1:0F03F8C7D841E407B5BAA71E0577D3DBB029076B
                    SHA-256:619FB0C5B3762429AAAFC5C39CDD591313E4C0F4445E93382AAC42BB7C0771D1
                    SHA-512:B0C83BBCC8CAA449D86A1D18301FC32BCC0F85E32298E85F46248D5AA8720547C23899E55F30CC1F5ACC51E548EFBBD7F4BF9ECE26F192F983517130A0B259A2
                    Malicious:false
                    Preview:.PNG........IHDR...0...0.....W.......pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2023-09-24T01:13:28+08:00" xmp:MetadataDate="2023-09-24T01:26:11+08:00" xmp:ModifyDate="2023-09-24T01:26:11+08:00" dc:format="image/png" xmpMM:InstanceID="xmp.iid:a8db02eb-2e33-8a4e-b385-4910ef2

                    C:\Users\user\AppData\Local\Temp\app_hotdefault.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 474 x 58, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):8758
                    Entropy (8bit):7.187444546196136
                    Encrypted:false
                    SSDEEP:192:XSo7F8knEegISECD9hrr9rrsIOcyxeGe/tOfHc2:CoNnErCCD9fOcyxrKk
                    MD5:55DACD6A8426DC470758C76A329CC5BA
                    SHA1:A3AB4D47514A3EA86BAB6F788927538F07D7E80D
                    SHA-256:95F036A0A945C167216BB60CFD35FC6A054B99D9AA8850EBA08B83610451132E
                    SHA-512:BB6B79CD6B38665F1FB534070520E01112158C7F02440E056A9A320849EEC95CB316CF7CEF97C0BE7AD8BE64B3608F6EA556AFFB392C33B8DCDA93193EAE406D
                    Malicious:false
                    Preview:.PNG........IHDR.......:............pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2023-09-22T15:32:12+08:00" xmp:MetadataDate="2023-09-26T23:46:27+08:00" xmp:ModifyDate="2023-09-26T23:46:27+08:00" dc:format="image/png" xmpMM:InstanceID="xmp.iid:93d59955-6142-e844-8e7b-c117ac7

                    C:\Users\user\AppData\Local\Temp\app_mmove.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 220 x 68, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):2167
                    Entropy (8bit):6.35120679427145
                    Encrypted:false
                    SSDEEP:48:Tu/6+zo7FDs9WlknNJpMr9les35Hoy3MSHzNG4f7KGpoH2fpT:ySEo7FmWlknNJGrimHoPSHzNG0GGpoAl
                    MD5:6EF3DE4295AA07ECEFAD372141458701
                    SHA1:B30FE36B7AAC7A06104F698109F394B6E3ED48D7
                    SHA-256:5CEA0C4246849903C50D43EC80DB8EE3FE9B3091025AC3CA0E5BB6F08C3FB9C2
                    SHA-512:4AF1F2A09F054EAFD197CD1FE9952D7E989EBC0D4DCC543FC6FAE786EEF56F059E657A6415C0D464A9852DB95F1378F4C885C1D7F5C5F5480EC3CFF80D37029C
                    Malicious:false
                    Preview:.PNG........IHDR.......D......o[.....pHYs................oiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2023-09-25T17:09:09+08:00" xmp:MetadataDate="2023-09-25T17:09:09+08:00" xmp:ModifyDate="2023-09-25T17:09:09+08:00" xmpMM:InstanceID="xmp.iid:5ef91bb6-9ae0-8841-a2cf-e2a8770dd7c8" xmpMM:DocumentID="adobe:docid:photoshop:cc52a923-9806-ae4e-aa7e-fb18084eba65" xmpMM:OriginalDocumentID="xmp.did:9dbea3b9-d73d-5a40-a062-8e0c853dc8d1" photoshop:Co

                    C:\Users\user\AppData\Local\Temp\app_retry.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 42 x 14, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):3838
                    Entropy (8bit):6.337451736858294
                    Encrypted:false
                    SSDEEP:96:FSFo7FPWlknGbOJqHlDuehmxt9AHNf5R5R5R5R5R54xcHoBhHu7zHEg2hPzHZmS7:FSK7FAknWZHl18fCWcIBhO7zmNz5SAx9
                    MD5:3857D1E6C48B9E70EACDBE544788D7D2
                    SHA1:AE200C684D1B127DC579019883EB6DEF28BA384F
                    SHA-256:EFB2F3D9318F61A832CBA5B8C6E3870D2CB8476D5F40157BF2A33648E222889A
                    SHA-512:9A089594D1B7D89AC6125B07E5FF077729E37675F9171A27287CEE3B74126827E1831D49EBB6EEEC226D060B69C31A3D3B8E57E55C83370B36FC8DE1056609C9
                    Malicious:false
                    Preview:.PNG........IHDR...*.........Y..{....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2023-09-27T00:08:05+08:00" xmp:MetadataDate="2023-09-27T00:14:43+08:00" xmp:ModifyDate="2023-09-27T00:14:43+08:00" photoshop:ColorMode="3" dc:format="image/png" xmpMM:InstanceID="xmp.iid:89b1c8e

                    C:\Users\user\AppData\Local\Temp\bfb1ea21-1324-4f57-bc1d-434ef4bf806e

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Matlab v4 mat-file (little endian) \377\377\377\377x, rows 0, columns 104
                    Category:dropped
                    Size (bytes):400
                    Entropy (8bit):2.394936848073769
                    Encrypted:false
                    SSDEEP:6:a8t7sX51+me2zE0A6tz1ajHTbxUgEZR7DA6t:aMgXrZXzE0RMTVaR7D
                    MD5:9F668DD431B67705B754380187C54A71
                    SHA1:6C89CA32AD4F4C2BCA7FF81F5F4385CD192D3D74
                    SHA-256:7A52DBF9000A9A734000C322D7636F00D4E7938896D3F740D862C1D660EAF67B
                    SHA-512:788259889E61ED5BA12FEC24FBDC2EFA645F9B939E19D88E5CB456833C162190AD1C1521886420A977106B841320CA3B0F5CAA63E2179141DD194FF13061E5BD
                    Malicious:false
                    Preview:........h...............x........................................'............................................................ ................................................=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e................... .......................................................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...................

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2023_09_22.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):686491
                    Entropy (8bit):4.874047704021639
                    Encrypted:false
                    SSDEEP:1536:UwSiSpSAHST7SSfSLWShnkSTStHseVlfSTSnyEStpnSpnMdSHHS4osNSJYu0ScZd:iPYlnK/3u+ucippS4L8jLNyjQvK6gh0C
                    MD5:D12A658DBA8EDF2CABF6E281DE14F9E4
                    SHA1:178DC57B485E66D36A2A1BAA027B88BE65866EF3
                    SHA-256:F9702EF5A7CA3ADC765E97A55C402237541712C691E3C7C9E7CDF7147338CB0D
                    SHA-512:399060687B9E43CC681CA1FBF515D53115F5E1FDCDAF9D6DB3735BB23C41C7FDDD5A96E69A99972D1737ECA633BD6D0C1E903A31A4CB170A3D9D6C688FC77569
                    Malicious:false
                    Preview:2023-09-22 00:00:03,550: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:00:13,601: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:00:23,597: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:00:26,373: INFO infoCategory : read -1937777048 value from reg err!..2023-09-22 00:00:33,598: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:00:43,601: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:00:53,596: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:03,601: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:13,629: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:23,628: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:33,625: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:43,630: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:01:53,630: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-22 00:02:03,628: INFO

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2023_09_23.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):830489
                    Entropy (8bit):5.111941375721001
                    Encrypted:false
                    SSDEEP:1536:6SERUmSiS8SRw2ltS8TKOSB4bSqiSpsSxzeSxHxxZsSCXaUsLSOmf4SThS2SCr8i:HrPtRmddozxPFENMjCJH5kKBavzTW
                    MD5:8AEECE92BE2F1744219AA78BFAE59695
                    SHA1:772A08E56B8EB20CB64C36280F15B56942AD11F5
                    SHA-256:7531C5AADEB6B777A973847792A40F6E179430506B08713B6183BF06CF7186B4
                    SHA-512:37B589D2EF7879E6F6C1A326A65ABF747763F13F2FA4B077A748FE88910FD60EA03C5186DBC856EC6A272F756B2B12C7C6D80AD4962BEECDEA5A3F584E8A891A
                    Malicious:false
                    Preview:2023-09-23 00:00:08,910: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:00:18,967: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:00:28,965: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:00:38,961: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:00:48,962: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:00:57,362: INFO infoCategory : read -829432920 value from reg err!..2023-09-23 00:00:58,963: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:08,958: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:18,961: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:28,961: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:38,965: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:48,962: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:01:58,963: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-23 00:02:08,957: INFO

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2023_09_26.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):773551
                    Entropy (8bit):4.93710940998137
                    Encrypted:false
                    SSDEEP:6144:Tyomoeebkb2iJbBBGGdhGacvEG0XyybBgannDTKaJd:/+
                    MD5:B45D621946973D75307685592F93F2A3
                    SHA1:8FDFF9D4BD5E1E224710767C27CE701E25E424C6
                    SHA-256:380AF63A8192A7C1B4A870F993ED66FD2E7B25236FAA3AE553EEC857D7AF302B
                    SHA-512:711CD40EBD8F15C0FDC1F3B74AC84D3D4ECDA283AD5CDEB6D776379553D39841E057BBD80CFD98718078433A31FCDEE5A1234CDC8C345A6B78A4C8F964C469C0
                    Malicious:false
                    Preview:2023-09-26 00:00:07,191: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:00:17,221: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:00:27,222: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:00:37,219: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:00:43,598: INFO infoCategory : read 1080023848 value from reg err!..2023-09-26 00:00:47,222: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:00:57,222: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:07,215: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:17,220: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:27,218: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:37,216: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:47,220: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:01:57,218: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-26 00:02:07,217: INFO

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2023_09_27.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):733323
                    Entropy (8bit):4.911194605856627
                    Encrypted:false
                    SSDEEP:6144:Yx4TnlY64qEgEQpvLzfQ2YGq0726g68Zsn:V
                    MD5:35AD706650DEB623156081B37C593CC6
                    SHA1:6CFBEF36FBC23C975866C5F68A791A37670F05B5
                    SHA-256:99881570FEF0DD53E8259052BD19CA3B2D03BFD6E6FDA03E6F112E79A585E74B
                    SHA-512:166DED701231C655A976771D30E082AA460E800C8FC7A2D66BD1E848AECECBD54CDE020E2DC35E26443861BB74097FCFEC533E0B9C6F0A86BD9BFAA1F15AD9A0
                    Malicious:false
                    Preview:2023-09-27 00:00:01,204: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:00:11,248: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:00:21,253: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:00:31,250: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:00:41,254: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:00:43,647: INFO infoCategory : read 1080023848 value from reg err!..2023-09-27 00:00:44,189: INFO infoCategory : ServiceStrl SERVICE_CONTROL_SESSIONCHANGE!..2023-09-27 00:00:44,189: INFO infoCategory : Service Control Session Changed begin!! msgid=8..2023-09-27 00:00:51,252: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:01:01,247: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:01:11,250: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:01:21,250: INFO infoCategory : CCenterClient sendHeartBeat..2023-09-27 00:01:31,249: INFO infoCategory : CCenterClient sendHeartB

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2024_05_12.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):166494
                    Entropy (8bit):5.119038538693684
                    Encrypted:false
                    SSDEEP:768:/A0UMAVQDdO1UrqTm2+5SRN0KSIkJgSjxP0S+aMGSbKr6SQJv:/A0pO1UrqTm2+5S0KSfgSV0S2GSo6Ss
                    MD5:CA397EE8B595D011C051FFF68BF8537B
                    SHA1:0FE0F5436DF99C4667783F3F7FAFE040C25FED1A
                    SHA-256:C4F36729F404ACFEA633033056D3E36B4F5B33782294ED9B207384ACF80606D3
                    SHA-512:6398A66380F880122A1F93BBE0E9ED7167CC0BC51C8380ED8FEE3A4340674632E4F95358C4AB1AEB35976CFE56FDBE4DFC75EAFC122552B9A728ADDD3CB0F1F1
                    Malicious:false
                    Preview:2024-05-12 05:10:48,087: INFO infoCategory : isWin7OrGreater =true licodeLoaded=true ..2024-05-12 05:10:48,134: INFO infoCategory : CCenterClient doConnect start sock 134.175.254.188..2024-05-12 05:10:48,134: INFO infoCategory : tcp begin connect! address=134.175.254.188 port=443..2024-05-12 05:10:48,134: INFO infoCategory : tcp end connect! ret=-1..2024-05-12 05:10:48,134: INFO infoCategory : tcp connect err! begin select!!..2024-05-12 05:10:52,136: INFO infoCategory : sock connect select err!! errno=0..2024-05-12 05:10:52,136: INFO infoCategory : client create connect to comet !sock_ sock=1256 ip=134.175.254.188 port=443..2024-05-12 05:10:52,198: INFO infoCategory : center client connect err!! sock=1256 ip=134.175.254.188 port=443..2024-05-12 05:10:52,200: INFO infoCategory : CCenterClient run CenterNetState_ConnErr..2024-05-12 05:10:52,215: INFO infoCategory : center client disconnect!! sock=1256..2024-05-12 05:11:14,894: INFO infoCategory : ServiceStrl SERVICE_CONTROL_SESSIONCHANGE

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2024_05_14.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):3178
                    Entropy (8bit):5.18437746651025
                    Encrypted:false
                    SSDEEP:48:zxQU81JT1qo8mjJEJPIPjUYATD7bdgePchvyzMbJcIUJc01JJcL1Jcit89oJBJlf:mt1l/3jq9Iuee8zwd1HIDPoo/jH/
                    MD5:3394C8D979C9B45743A2938A2C12F63C
                    SHA1:D16F767870426280B4BFF430780E6929D32F1540
                    SHA-256:AD0F4F73AFA59D2D908EF01735C256358DBC27DF6CC743D545A6F34F871F82F0
                    SHA-512:53B097516678F306CA956D591C50A5D7E6E69EC2DB6B453816AC18C034A76E3AABFCBB79D59F061EA6EE32BDC67A75AAF9DF505DF50965E9B768210E106B4890
                    Malicious:false
                    Preview:2024-05-14 03:13:38,710: INFO infoCategory : isWin7OrGreater =true licodeLoaded=true ..2024-05-14 03:13:38,754: INFO infoCategory : CCenterClient doConnect start sock 134.175.254.188..2024-05-14 03:13:38,754: INFO infoCategory : tcp begin connect! address=134.175.254.188 port=443..2024-05-14 03:13:38,754: INFO infoCategory : tcp end connect! ret=-1..2024-05-14 03:13:38,754: INFO infoCategory : tcp connect err! begin select!!..2024-05-14 03:13:42,763: INFO infoCategory : sock connect select err!! errno=0..2024-05-14 03:13:42,763: INFO infoCategory : client create connect to comet !sock_ sock=1296 ip=134.175.254.188 port=443..2024-05-14 03:13:42,768: INFO infoCategory : center client connect err!! sock=1296 ip=134.175.254.188 port=443..2024-05-14 03:13:42,783: INFO infoCategory : CCenterClient run CenterNetState_ConnErr..2024-05-14 03:13:42,795: INFO infoCategory : center client disconnect!! sock=1296..2024-05-14 03:13:50,117: INFO infoCategory : ServiceStrl SERVICE_CONTROL_SESSIONCHANGE

                    C:\Users\user\AppData\Local\Temp\cameramic\servicephqghume_2024_05_15.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):38183
                    Entropy (8bit):5.222123659270451
                    Encrypted:false
                    SSDEEP:384:6fB+INrHOIRyiMYawAAA51cBtMzHB3y2NbhNH7r0Znoxkjq0liAeYZJYNl4fRtSm:2+X1cfGHB3y2TqS9soqSmhaVSCBq
                    MD5:EEE5B18F1D7C1AFAF1AB9DB2F32CA6E9
                    SHA1:5FBFBC71A0E994F22C607F4ED18BA73BC995853F
                    SHA-256:8D73BDAC0935A82F2CCA24EDAD4DB094F4BF25C8425F4F5D3F065E1AFF137E32
                    SHA-512:CF180A805EDE80DD96260EC855B2C2461D298368B0878CAAFFABC1F90F7DF31C30FC037FDD2FC0575491CD173C977CEA1F952390C59A18081E265901535020C9
                    Malicious:false
                    Preview:2024-05-15 00:52:39,896: INFO infoCategory : isWin7OrGreater =true licodeLoaded=true ..2024-05-15 00:52:39,957: INFO infoCategory : CCenterClient doConnect start sock 134.175.254.188..2024-05-15 00:52:39,958: INFO infoCategory : tcp begin connect! address=134.175.254.188 port=443..2024-05-15 00:52:39,958: INFO infoCategory : tcp end connect! ret=-1..2024-05-15 00:52:39,958: INFO infoCategory : tcp connect err! begin select!!..2024-05-15 00:52:43,961: INFO infoCategory : sock connect select err!! errno=0..2024-05-15 00:52:43,961: INFO infoCategory : client create connect to comet !sock_ sock=1260 ip=134.175.254.188 port=443..2024-05-15 00:52:43,972: INFO infoCategory : center client connect err!! sock=1260 ip=134.175.254.188 port=443..2024-05-15 00:52:43,987: INFO infoCategory : CCenterClient run CenterNetState_ConnErr..2024-05-15 00:52:43,992: INFO infoCategory : center client disconnect!! sock=1260..2024-05-15 00:53:00,425: INFO infoCategory : CCenterClient doConnect start sock 134.17

                    C:\Users\user\AppData\Local\Temp\cameramic\sessionphqghume_2023_09_20.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text, with very long lines (4160), with CRLF line terminators
                    Category:dropped
                    Size (bytes):485118
                    Entropy (8bit):5.323777027767362
                    Encrypted:false
                    SSDEEP:1536:C4uhDwWecxYp8aySPvtPLuAUPpty4+0f1:BBcqlPZa
                    MD5:72AA4E53E767441D334347F003329BCF
                    SHA1:CA1E20806B1967A0A97CB421B961871543195451
                    SHA-256:817E8B2221D34D0D74BC3398489D12CE97934184BA419BA8F3479D3639602EFD
                    SHA-512:5DF5120A696502DCCD5F0EFF56C9D9BFADEC6EA65FDA5B781124450A470BA7D7CB675BB1880E92D7EE64904BF6D1CC7A0752DD3087240EC8AFC2574D415A989E
                    Malicious:false
                    Preview:2023-09-20 19:17:14,051: INFO infoCategory : file path not exist. path:C:\Program Files\ToDesk\ImageResources..2023-09-20 19:17:14,055: INFO infoCategory : isWin7OrGreater =true licodeLoaded=true ..2023-09-20 19:17:14,087: INFO infoCategory : start todesk_session pid = 15180..2023-09-20 19:17:14,089: INFO infoCategory : tcp begin connect! address=127.0.0.1 port=35600..2023-09-20 19:17:14,089: INFO infoCategory : tcp end connect! ret=-1..2023-09-20 19:17:14,089: INFO infoCategory : tcp connect err! begin select!!..2023-09-20 19:17:14,094: INFO infoCategory : sessionconfig privacy_screen_image_url:, privacy_screen_image_md5 : ..2023-09-20 19:17:14,095: INFO infoCategory : gpu infos :[.. {.. "feature" : 21474836485,.. "id" : "8086",.. "name" : "Intel(R) HD Graphics 5500".. }..].., gpu_list :1 client_screenlist:1 sfu:0 use_ext_video:0..2023-09-20 19:17:14,095: INFO infoCategory : licode state:expriment:1 config:1 planb:1 enable_multiscreen:1 datachannel:0 multiscreen:0

                    C:\Users\user\AppData\Local\Temp\cameramic\sessionphqghume_2023_09_21.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text, with very long lines (4167), with CRLF line terminators
                    Category:dropped
                    Size (bytes):946378
                    Entropy (8bit):5.3348458736268105
                    Encrypted:false
                    SSDEEP:1536:SMmiYjTMVIq7YbYMtYHJrkeSRCm70RJxBp0HCctBHxDmcEaI6h5SUZulwcq/Yxgx:+BjVa0
                    MD5:6AA73BF45D334D3E095C5A9752DA8059
                    SHA1:223FD37CAD90932CCB2A3F147A3C8300F0C70B9A
                    SHA-256:7F65899C602660E16CABD0364739CCF32DA895411E9FC2C0D6BC6580F3715115
                    SHA-512:3F04E36B74E54785E5B006C6BCF6BB2668362360818999DB5A7FAF7886E66F3CF4ABE6029DA0C4205754146D45D47DF96E391529F0972444570456C00CB45E5B
                    Malicious:false
                    Preview:2023-09-21 10:29:27,858: INFO infoCategory : isWin7OrGreater =true licodeLoaded=true ..2023-09-21 10:29:27,873: INFO infoCategory : start todesk_session pid = 3176..2023-09-21 10:29:27,874: INFO infoCategory : tcp begin connect! address=127.0.0.1 port=35600..2023-09-21 10:29:27,875: INFO infoCategory : tcp end connect! ret=-1..2023-09-21 10:29:27,875: INFO infoCategory : tcp connect err! begin select!!..2023-09-21 10:29:27,876: INFO infoCategory : sessionconfig privacy_screen_image_url:, privacy_screen_image_md5 : ..2023-09-21 10:29:27,876: INFO infoCategory : gpu infos :[.. {.. "feature" : 21474836485,.. "id" : "8086",.. "name" : "Intel(R) HD Graphics 5500".. }..].., gpu_list :1 client_screenlist:1 sfu:0 use_ext_video:0..2023-09-21 10:29:27,897: INFO infoCategory : licode state:expriment:1 config:1 planb:1 enable_multiscreen:1 datachannel:0 multiscreen:0 screenid:0 enableSendV2:0 enableLicodeAudio:1..2023-09-21 10:29:27,897: INFO infoCategory : zrtc_config:{"use_p

                    C:\Users\user\AppData\Local\Temp\cameramic\zrtcsessionfircvscx_2023_09_20.log

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):873827
                    Entropy (8bit):4.301657727027266
                    Encrypted:false
                    SSDEEP:24576:uHdWyFg/RwKLhCFwxH3kRedb7VzzW5UvFHirMBbaZd:c
                    MD5:DD93BC2F2EF179D2ED6F106B330EE294
                    SHA1:7272282FD6B6C1A796866236B4B739CDFC91DBFC
                    SHA-256:2E148A8165C6D5ED4923C9FFDD41D92C4EB318D3B7A1DC95E40025C0CC44AD4A
                    SHA-512:0FB1AE11C0A78C92D0043FA2F7AFDCE308CFED276772377896DD4437B61FC79565A7716835C36C4528346443C9BD0781C4AE42ACE9F3317032C88A4441F15655
                    Malicious:false
                    Preview:2023-09-20 20:22:12,614: INFO ZRTC : ce26993a0b6ee3e1ec7dfdc4fb3e3f148b6eaa7b5e7356273cb1796bfb5971d702469a9cc4c8f81cad38f246324e678d0ed88b6529db2361a26cb932b14290dde172abb467b5a771bef7ef281b7a18e0645c63f9bf926e3d161ccfa1edb5a92e88e3e9c31ee0c6d930b1fa02a1ee5243d994b669335c18befec92ee8ee2ffd1d2078c0818459627a4f7163b213..2023-09-20 20:22:12,621: INFO ZRTC : f5bfd9017d6868406ea3c7f1f28a05f102fd618f8e80dc2a2f81cb7af842d61be62c398a9d833e282e7b653fadac591192883fcfd0e1d2e248fe7629e88cf647381dcf5a326bcf7df27452dbe50c2b71ce3516950cefef65829bf9a9feb6f3010c3c78ef87ae6adc5d4cc486cb03561ab8b45c0046a9090a4b4fc79d64204623b509cd46dcf51c74a0f8c2a1acb8729e33e32c04668a200e5de42fbac204db17..2023-09-20 20:22:12,625: INFO ZRTC : bdeea554d166f145970960cc14e559f7365d4d2b54f6f0709a0d6f4d65b68f0d848818916587b27a2337f073ff56d628f1d1068080f6f701f93e6c4941d192844d6a396a17f6b6c9f4b5ca150e435dc63b28377a3f15913d206ad0d30ab550caaef031fa1fb6470c5e87b82aa3b9e4b213a93b84350e3dee74d05fe8f8c59f5a77a658560d..2023-09-20 20:2

                    C:\Users\user\AppData\Local\Temp\cf438fea-2ef3-4394-9563-816b66bc10e0

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Matlab v4 mat-file (little endian) \377\377\377\377x, rows 0, columns 104
                    Category:dropped
                    Size (bytes):400
                    Entropy (8bit):2.394936848073769
                    Encrypted:false
                    SSDEEP:6:a8t7sX51+me2zE0A6tz1ajHTbxUgEZR7DA6t:aMgXrZXzE0RMTVaR7D
                    MD5:9F668DD431B67705B754380187C54A71
                    SHA1:6C89CA32AD4F4C2BCA7FF81F5F4385CD192D3D74
                    SHA-256:7A52DBF9000A9A734000C322D7636F00D4E7938896D3F740D862C1D660EAF67B
                    SHA-512:788259889E61ED5BA12FEC24FBDC2EFA645F9B939E19D88E5CB456833C162190AD1C1521886420A977106B841320CA3B0F5CAA63E2179141DD194FF13061E5BD
                    Malicious:false
                    Preview:........h...............x........................................'............................................................ ................................................=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e................... .......................................................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...................

                    C:\Users\user\AppData\Local\Temp\d37ef516-8223-4430-a7cc-9979a03a32a3

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):150
                    Entropy (8bit):4.475201182365198
                    Encrypted:false
                    SSDEEP:3:Fla1ll/ljM0B1paHG/f/o/g+BCsgYcqBlfJm0xUngsn:C1JUG/Y/g+BVLM0xUgs
                    MD5:ACCAE188E4DFF929C1783C209764BCCC
                    SHA1:70C73301CB300859DD34F668ABB861A5BA370EF1
                    SHA-256:0E305FBA95D7C3490D04F0AD5CCE70AF98E4E7F0F99564EA4FD60040817E23FB
                    SHA-512:7148128093A61993B7FAA7291F8F35343B4BCF437E58E87F5C144177B6E8CF4DD2F183EA6A781A6130F8A85CB32D6028B7AC1794E8116EA2F087987701689B83
                    Malicious:false
                    Preview:.........y@....................i.v..h...xS..Yu..."..$...............$...................m.....3..............$..................>x.~.._...m.q;fg....

                    C:\Users\user\AppData\Local\Temp\fad12352-7d0a-429b-8c04-8fc46cba154e

                    Download File
                    Process:C:\Windows\System32\wimserv.exe
                    File Type:Matlab v4 mat-file (little endian) \377\377\377\377x, rows 0, columns 104
                    Category:dropped
                    Size (bytes):400
                    Entropy (8bit):2.394936848073769
                    Encrypted:false
                    SSDEEP:6:a8t7sX51+me2zE0A6tz1ajHTbxUgEZR7DA6t:aMgXrZXzE0RMTVaR7D
                    MD5:9F668DD431B67705B754380187C54A71
                    SHA1:6C89CA32AD4F4C2BCA7FF81F5F4385CD192D3D74
                    SHA-256:7A52DBF9000A9A734000C322D7636F00D4E7938896D3F740D862C1D660EAF67B
                    SHA-512:788259889E61ED5BA12FEC24FBDC2EFA645F9B939E19D88E5CB456833C162190AD1C1521886420A977106B841320CA3B0F5CAA63E2179141DD194FF13061E5BD
                    Malicious:false
                    Preview:........h...............x........................................'............................................................ ................................................=f.............m.....3.......................s.y.s.t.e.c.v.3...e.x.e................... .......................................................>x.~.._...m.q;fg......................w.i.n.r.d.g.v.3...e.x.e...................

                    C:\Users\user\AppData\Local\Temp\id_error.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):436
                    Entropy (8bit):7.132968836552489
                    Encrypted:false
                    SSDEEP:12:6v/7iIL/6T+tDScEXJ1IvxuO3j1+TJymfw2YlN:2/6qO51Ipdj18zI20N
                    MD5:793A8A5B150227B86A2C57F78AC4B191
                    SHA1:9AC5B30B335125A23F0D6D1C4EDC67EAA1E4EC60
                    SHA-256:2E34EFFD8BB007D45F62744D7575B362F5299FD68E8EC24B161386271920AAA2
                    SHA-512:9B64EC5793053782BBEE4721D8047108009745330FD38ADE1C08AD772C05560B22517534C86BECBE59AB7D1B7267E857D07C6C27A58FC82072099DE5C543794D
                    Malicious:false
                    Preview:.PNG........IHDR..............H-.....pHYs................ cHRM..z%..............u0...`..:....o._.F...:IDATx.l..KTQ....}=.V.)BT..._..?.,..U... ...A...E....M....=-.7....s...s.M..Z....M.........xk9...q..j........^........,.....V......ce.7...+..C,t.....E.I...c|(ElO.)0...]..J....../J..3..M..*E\.I':7/...K...U.O!..S[.YZ~ZY.."...._g......oT~W...b....8ig..j..A1..H.W....=...,R........."~a....s....R..7...Cn})..m.....IEND.B`.

                    C:\Users\user\AppData\Local\Temp\id_load.gif

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:GIF image data, version 89a, 14 x 14
                    Category:dropped
                    Size (bytes):3523
                    Entropy (8bit):7.614619712353673
                    Encrypted:false
                    SSDEEP:96:xavXLks8MaUvYAlM6vrHdO0MGGd5tFLwJBMsQeG2ssDW:xaP89UAgTvr80MGGdnFM/MIRK
                    MD5:FBFA413B2696A767E6E45E9CA68F8C05
                    SHA1:ED06B3D6ABED4694FBB01548CB705113104A3FF1
                    SHA-256:EE0E0FE544B1CDFB01DF2C15257935A78A2827FAB8ADA5146C4E9C2A7F7343E0
                    SHA-512:7C0383C8C72AEE8E9FA48E116279E678A42A650367BBE093C51F8058E9B77F733F03B2775CDA093DAD1F18E1FC9181570221CB7E6F65E902B6E8CC639C8DE568
                    Malicious:false
                    Preview:GIF89a.........m............K.~.........d.N...Y.......V..L8.q^.....Q...j.......P}.).f<.tR....t.4.n3.m......&.d].......0.kI.}F.{@.w...X.,.h..y...T..Rc....T.........%.cq...J..................................................................................................................^....................w....v....f...........+.h.......M....:.r...s....B.x...#.b.........7.p[......?.v.........;.s..\..O..T.....W......Z.....z.{......._/.k......p...].._{....b.`.b.M.......A.x...........E.z..............k.C.y...Z.O.2.l..[...................L.....}................l.>.ua.C.x.......A.x...........1.l..1.l...U.W....7.qI.}J.}..S......g.g.g...........................G.|z........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="ht

                    C:\Users\user\AppData\Local\Temp\id_ok.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):557
                    Entropy (8bit):7.267033795446974
                    Encrypted:false
                    SSDEEP:12:6v/7iIL/6Tx+rX4ct5V2iGAqSJ+ESMuY15if4wTqKU1:2/6o9HUiG9SsESMu5f8r1
                    MD5:520F251255D3A5A93C06DF3578434F57
                    SHA1:B1E57A2860FB119F311EED65392BC1F9090F6D6B
                    SHA-256:A6BBC4ECA3DCEB3C3534336BBF0F9D731546BB1D0DB1B7298C241C6DD41EC30D
                    SHA-512:D744528C9C8943437E594B4B618C08B862C091C37DEDF3FFF687B84360136C9B48DBCAB11F6E58E2F83B7891124DF749FCBD5B59F52103EAC3DD054CB69E25CA
                    Malicious:false
                    Preview:.PNG........IHDR..............H-.....pHYs................ cHRM..z%..............u0...`..:....o._.F....IDATx.|..kSQ..?..n..E..A....K.AP.... b[(.@l.(..S..Nn.U.... ....P..[.....*....qH.m3.....s....S.kd2...$p..........V.z.u[.S. .U.N..@.X..0...<{......E.T$=....@.\..9...w...$...F..X....]&( t..r..%!..!f+.I...F....Y.TF......$.;I....1W..af.*q..#..X.<..q...<l...&....}T.."y...@............W......qHj......k....5..-QkvL9......K..C...>..u.....<n.&q"o.m...v.....%+.$M.0.3..z....r@K..,Y.(.....,......"p.X..No{o.....J....I..;....7..f......yn.=.f......IEND.B`.

                    C:\Users\user\AppData\Local\Temp\images\home_banner_1.jpg

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, xresolution=86, yresolution=94, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2023-04-11T13:07:30+08:00], baseline, precision 8, 733x250, components 3
                    Category:dropped
                    Size (bytes):55732
                    Entropy (8bit):7.949431508721036
                    Encrypted:false
                    SSDEEP:1536:Ss3D6gNjGR5ctSTpV3MOa55ml7w/xQHBtyGJwLa3HqiqhPqdH:F+gNW5ctSL3M3xQH5w2UmH
                    MD5:E8CEF6B4CABF2FFEFBD539EB27F4A743
                    SHA1:F97C07AD993E288B5D3B0EF2F35B5B02AD509C51
                    SHA-256:CB613494959F76887EA602E6418C12885BF2494FD0CFA66D14E825A15893AA03
                    SHA-512:8B112C81CD84F7480F347E4AC37E5D6327D954FFAAE44F2F41ED8CBF0D4D5765564D696BB9B23BE608C82D3810F2A066813578806B9E8DEF00AE42B6A7059111
                    Malicious:false
                    Preview:......Exif..II*...............V...........^...(...........1.......f...2...........i...............H.......H.......Adobe Photoshop CS6 (Windows).2023-04-11T13:07:30+08:00...........0220..................................................Ducky.......P......http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmp:CreateDate="2023-01-01T16:54:53+08:00" xmp:ModifyDate="2023-04-11T13:07:30+08:00" xmp:MetadataDate="2023-04-11T13:07:30+08:00" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:C2C21422D82611ED9728A73C17A3E044" xmpM

                    C:\Users\user\AppData\Local\Temp\images\home_banner_2.jpg

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, xresolution=86, yresolution=94, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2023-04-11T14:10:09+08:00], baseline, precision 8, 733x250, components 3
                    Category:dropped
                    Size (bytes):56195
                    Entropy (8bit):7.953589169354653
                    Encrypted:false
                    SSDEEP:1536:3sDJC5V4/lAoyQ62fovExq7izX1c2VuGTzFLVu:eJuV49KFqoj2kKBs
                    MD5:7A8800F3038CC09838125CE29851B6C2
                    SHA1:F400906FACA9C349BDC5B09CA782B091F83AA4FE
                    SHA-256:332856778FBDB88157ACDEC8D8ED774101D47DA48D4A6888041B08A082584FAB
                    SHA-512:16BD34E9F033F1BA1EF5D12533520C433EE922B77E941C9238F31199837E9ACF58A5C928B228F8562D49743CFAD13A9F026B8C6D2737B3ECEBEB19F864AEFE29
                    Malicious:false
                    Preview:......Exif..II*...............V...........^...(...........1.......f...2...........i...............H.......H.......Adobe Photoshop CS6 (Windows).2023-04-11T14:10:09+08:00...........0220..................................................Ducky.......P......http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmp:CreateDate="2023-01-01T16:56:00+08:00" xmp:ModifyDate="2023-04-11T14:10:09+08:00" xmp:MetadataDate="2023-04-11T14:10:09+08:00" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:832A983AD82F11EDB2CD87B634D50FC6" xmpM

                    C:\Users\user\AppData\Local\Temp\nodrv.png

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PNG image data, 157 x 181, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):7146
                    Entropy (8bit):7.938889974526774
                    Encrypted:false
                    SSDEEP:192:VSHIIHUCD4wa2YLLLibLtdl2Yg7jLPPpXsCE:050wdYLLLibRqN7jL3pXTE
                    MD5:D74C43E26FEA60F76644BE3B77AE76D8
                    SHA1:DF2CD4ADD519C36ACEC0C2F66D031545E4F5DCA1
                    SHA-256:4D62C46F974EB4762A91856C09D7C0BABFCFAE1A97E1041470C6A23B6CBE4F9D
                    SHA-512:E5963A438D384A853635D301DBBC5E902F144C888FBA9CB934401C049C9DAFB42FBE6134E1FE3715751A6CC5CF21E3F9FACB193FC242B5044C963EFDD678DE84
                    Malicious:false
                    Preview:.PNG........IHDR.............E.......pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

                    C:\Users\user\AppData\Local\Temp\nsr5B38.tmp

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):22744277
                    Entropy (8bit):7.532563826064469
                    Encrypted:false
                    SSDEEP:393216:bHEuWJ6pOy4I2m5/fqo5kCyLZ29ujQ8b3ov0+pI:ge/fqoGdLMUh+G
                    MD5:B4B0AC2B60CFB4AE3F0A085D70A8938E
                    SHA1:B1B67EE3E24933D3771A053BF6D735349384839F
                    SHA-256:DFDBEB945FADF1E50777A73F90C1B1727EE63191554A662139A9187E71EEA11C
                    SHA-512:1D95641FEE1243BAB3AE24CC3740D2B4D30D52DA610CFEF4CC7FF9706A23E04A813621F9DBAE0D516CE1F8F8A5E62FB95000786C225C1C6FB6842186FB3C47E3
                    Malicious:false
                    Preview:.7......,.......,.......\........&.......7.......7..........................\...r...........................................................................................................................................................................................................J...U...........V........................V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):4.881160720969831
                    Encrypted:false
                    SSDEEP:48:6jOBtU/BXN8kUByyy/Aklkcrkyg7Vg5RibGoTCTo0gqVeeaeQqzM5rv774YRljmB:y/DMy4ncrkyg7tbpQFLUEYRxe
                    MD5:A7CD6206240484C8436C66AFB12BDFBF
                    SHA1:0BB3E24A7EB0A9E5A8EAE06B1C6E7551A7EC9919
                    SHA-256:69AC56D2FDF3C71B766D3CC49B33B36F1287CC2503310811017467DFCB455926
                    SHA-512:B9EE7803301E50A8EC20AB3F87EB9E509EA24D11A69E90005F30C1666ACC4ED0A208BD56E372E2E5C6A6D901D45F04A12427303D74761983593D10B344C79904
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.......................B..........Rich...........PE..L.....F...........!................F........ ...............................P.......................................#..c...x ..<............................@....................................................... ..x............................text...L........................... ..`.rdata..c.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\NsProcess.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):4.666004851298707
                    Encrypted:false
                    SSDEEP:48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
                    MD5:FAA7F034B38E729A983965C04CC70FC1
                    SHA1:DF8BDA55B498976EA47D25D8A77539B049DAB55E
                    SHA-256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
                    SHA-512:7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\System.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):11264
                    Entropy (8bit):5.76003797720627
                    Encrypted:false
                    SSDEEP:192:jVL7iZJX76BiqsO7+UZEw+RlthVEoC0O3XB:g7ssOpZs/hS3X
                    MD5:960A5C48E25CF2BCA332E74E11D825C9
                    SHA1:DA35C6816ACE5DAF4C6C1D57B93B09A82ECDC876
                    SHA-256:484F8E9F194ED9016274EF3672B2C52ED5F574FB71D3884EDF3C222B758A75A2
                    SHA-512:CC450179E2D0D56AEE2CCF8163D3882978C4E9C1AA3D3A95875FE9BA9831E07DDFD377111DC67F801FA53B6F468A418F086F1DE7C71E0A5B634E1AE2A67CD3DA
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 1%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....f.R...........!................+'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...o........................... ..`.rdata..C....0......."..............@..@.data...h....@.......&..............@....reloc..J....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\nsExec.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):6656
                    Entropy (8bit):5.028908901377071
                    Encrypted:false
                    SSDEEP:96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN
                    MD5:51E63A9C5D6D230EF1C421B2ECCD45DC
                    SHA1:C499CDAD5C613D71ED3F7E93360F1BBC5748C45D
                    SHA-256:CD8496A3802378391EC425DEC424A14F5D30E242F192EC4EB022D767F9A2480F
                    SHA-512:C23D713C3C834B3397C2A199490AED28F28D21F5781205C24DF5E1E32365985C8A55BE58F06979DF09222740FFA51F4DA764EBC3D912CD0C9D56AB6A33CAB522
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L....f.R...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...J........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\uvcon.cfg

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):46
                    Entropy (8bit):4.509883902076781
                    Encrypted:false
                    SSDEEP:3:yQmNV/K2PNqEdKRbZJ:DmNJfNqEdKB3
                    MD5:C9CFC92108B39132B5D3070962A32343
                    SHA1:62850E81FECB8891E376CDF672E74728CF478D8F
                    SHA-256:BFEF6DDA690882A584563DB70FB8D42FDC025C22ABF4AF4B974B316ED760CC69
                    SHA-512:F252732CC27A3FE28DBCF96FB7FC4E857DCFE9D6797C941364582FAEFD2695286E88572A2095BB67CA7037B9D8C2FAE005960473AAF9BC364B4328E52500C4BA
                    Malicious:false
                    Preview:[set]..url=http://tongji.sejai.com/drvceo.html

                    C:\Users\user\AppData\Local\Temp\vk_swiftshader_icd.json

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):106
                    Entropy (8bit):4.724752649036734
                    Encrypted:false
                    SSDEEP:3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
                    MD5:8642DD3A87E2DE6E991FAE08458E302B
                    SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                    SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                    SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                    Malicious:false
                    Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                    C:\Users\user\AppData\Local\Temp\winrdlv3.rar

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:RAR archive data, v5
                    Category:dropped
                    Size (bytes):5687676
                    Entropy (8bit):7.9999699097359125
                    Encrypted:true
                    SSDEEP:98304:OsHa1LFC1iyGl10TaHtYdAPiFpA9pKiG+nVe4GTQNjy9ZkdiV74H0:OsHyLFHN0qtYdAkpA3zETQNjy9Zkb0
                    MD5:6F77D48226214DF8D76CA7800773ED3D
                    SHA1:71208E124F45752241CAC125FE78353EE8819C1D
                    SHA-256:06CE0A505958D76FFCD7909D3ED6E3E9C8B2FA0D21219D92945A21E1F0EA9290
                    SHA-512:3A8372D58831EA671577961320FFB44E1BC4193C91313F15DD9E2B964D347A4319FD7DD6714C36CDD143D409D6695EE9AC8554572DA2262CF38CD9574A71616E
                    Malicious:false
                    Preview:Rar!.....6.3................b_..<......... o..7.;..bakrdgv3.sys0....:...../#.~..#X ..,.D....>2.$=.e..vk..._................@i.B..C.G{.K...Y..c..3..`S.7.........A.\..#=...5FY'Gv.....KR..v..ztd@........_.ml4....Sk..1..*.......Z0...kZ...@.d...Q.}.....(l{WC.73S.......X@....;..e......._....7....I..\..@XWu.B..*o....Q........T...../.n.T..A.vg..t},C#.u.8vT...=^ ......).w.......x.~.kNG...0...~.oplr....1...6.M.{.....'.M>S..L..hO0VCB..q+."..."l"-l..wj...vm....r.F...T.wl.6.B...T....j.. .]P...=.b....X....?U...F....|H...)G.....U..~K{_....,...>.D......Ap.&......^.5...B|.$...<+$...N%....<...abu`..?.<..R....d.Z......_.X....a.H....D.i....li...d;.}.-.k..X.w._.......g....n..T...7cc.vl.jcoI.....7.w9...Oh..\..}.....A..^.*....k..fH..K......3..G.....8...|) ....P....Xy...u]..oB.....l.>..g....3.>.f...\.K..-T0...o.f;..h...k......m..b^..H./S y......S.~.i...g..k.......Yz@$\yrK..........z....s..uIv../.........5.Tv.F~.m.!..kaJ<3.B}x=.....ZG.......U',l.-...k-

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):6656
                    Entropy (8bit):4.110926983236756
                    Encrypted:false
                    SSDEEP:48:rnsPhyIobhchP+DMgugiKSuPrKCuHJd9axNadRkhchfvm4hVp7udOlk00PKllsu/:E3sicXimrz+dRkiZvVL8W
                    MD5:62705B429DA1526F316D4396624C3E82
                    SHA1:F9CA4424C9ABF61BAEC2E072586E7A0140FF0EFB
                    SHA-256:3D01CCD71906FC37DDAAD08E39F65FCDECECF5503428C68D8E0D727C7B414036
                    SHA-512:361301A7729AED44C8AFF7759ED27FA8E393B33F25502D27F56D963364E7865898A341BD0C9990468AD47BFBCFFAB484F1369F1C6E65273E9DEF336BD9A10788
                    Malicious:false
                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\LInstSvr.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):423232
                    Entropy (8bit):6.386717951833311
                    Encrypted:false
                    SSDEEP:6144:XuY705FoAqekD/QTVm0nM9m8uXZxXt2GCYA0t28H9/:12qDYZmsl8uXZxX+f0s85
                    MD5:FB741FCEEB80A76F7F0005A1AC60604A
                    SHA1:A6A8D97365634B266F0B5A001038A5A86B9ED2D6
                    SHA-256:C8BD29C490368EBFC56DC5C951E24AF613F7E5B68A8493240F5EC1AFD9D4A9B1
                    SHA-512:8E43D1A8448828E9EA5FCAC792B95DCB63640EA200CB2D2DFF4902C4CEB6E79A405E0739D293C7CC14BB6EE025089FB9E954BA38E6707B92AC9FE251918BD780
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 1%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.....F...F...F...F...Fr..F...F.-.F@..F...F...F...F...F...F...F...Fd..F.-.F...F6..F...FRich...F........PE..L......`................. ...P.......>.......0....@.................................B................................................p..@............@...4...........6...............................................0...............................text............ .................. ..`.rdata......0.......0..............@..@.data............p..................@....rsrc...@....p.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Logs\DISM\dism.log

                    Download File
                    Process:C:\Windows\SysWOW64\Dism.exe
                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (389), with CRLF line terminators
                    Category:modified
                    Size (bytes):124392
                    Entropy (8bit):5.06644534456823
                    Encrypted:false
                    SSDEEP:768:D/MiIzZC4aAM+TRMNMh09JAhQkQLKGQUE00qUCMzmN18Pvzu8/ok6vN5wgvjrmVq:j6h0t1EG4m
                    MD5:AFC47DFCDE43759EA5036A04DAB93D45
                    SHA1:F11E9FEA3EF4D6F14F69E61F1A79E260B521F258
                    SHA-256:02F7002355B2548918CFD72708D95BB06820DB773547B9594E9F2D9F02AD481F
                    SHA-512:F5D892F7990648344FC4CAF8765FBAF62765830B1C790BD2767EBF294F2BDEFEEEB31000F2F5E72F76990B65D7014DF01CD5DDA5785A4A33590CADD5E92A73CE
                    Malicious:false
                    Preview:.[3360] [0x8007007b] FIOReadFileIntoBuffer:(1452): The filename, directory name, or volume label syntax is incorrect...[3360] [0xc142011c] UnmarshallImageHandleFromDirectory:(641)..[3360] [0xc142011c] WIMGetMountedImageHandle:(2906)..[3360] [0x8007007b] FIOReadFileIntoBuffer:(1452): The filename, directory name, or volume label syntax is incorrect...[3360] [0xc142011c] UnmarshallImageHandleFromDirectory:(641)..[3360] [0xc142011c] WIMGetMountedImageHandle:(2906)..2023-10-03 13:01:57, Info DISM PID=3360 TID=5780 Temporarily setting the scratch directory. This may be overridden by user later. - CDISMManager::FinalConstruct..2023-10-03 13:01:57, Info DISM PID=3360 TID=5780 Scratch directory set to 'C:\Users\jones\AppData\Local\Temp\'. - CDISMManager::put_ScratchDir..2023-10-03 13:01:57, Info DISM PID=3360 TID=5780 DismCore.dll version: 6.2.19041.746 - CDISMManager::FinalConstruct..2023-10-03 13:01:57, Info DISM I

                    C:\Windows\Logs\NetSetup\service.0.etl

                    Download File
                    Process:C:\Windows\System32\svchost.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):524288
                    Entropy (8bit):0.3816776445190624
                    Encrypted:false
                    SSDEEP:192:9LAbpm8DmT1xMS92sICkjd0x5AUko5HOLboAcKYzFlgbm/:9LAb/M7mjhRoZO/oAPs
                    MD5:1418EB984CCF72431598B88FD347C207
                    SHA1:236F40D516BB56F5D9B02D2949CED4C7F628F69E
                    SHA-256:E01143A5F8ECA49080A8DE0C401289DFE1C1032399A5DBEF41E2A86BDEFA7D12
                    SHA-512:FC6E452F82BE92723649D1F66C4AD551759141A75285F71D45CC997916302299C724B81701712E4368E7315906F326A6B020F1809017EC45AF38278BC5E412F5
                    Malicious:false
                    Preview:....8...8...........................................!....................................?......................eJ......8,.....Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.6.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.6.1...........................................................@K5..............?..............N.e.t.C.f.g.T.r.a.c.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.N.e.t.S.e.t.u.p.\.s.e.r.v.i.c.e...0...e.t.l.........P.P..........?..................................................................8.B..?......19041.1.amd64fre.vb_release.191206-1406.....7.@..?.......I.[.8+m.!N8$......NetSetupEngine.pdb......4.@..?......].*;..y.q...2......NetSetupApi.pdb.db......5.@..?...........V.$$d...~. ....NetSetupShim.pdb........7.@..?.......-0...j.;B..p.)....NetSetupEngine.pdb......4.@..?.........>*.....Nr8..a....NetSetupApi.pdb.........4.@..?.........E_iC...F........NetSetupSvc.pdb.............................................

                    C:\Windows\SysWOW64\AgentTask\AgentTaskList.dat

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):32
                    Entropy (8bit):4.04595859334435
                    Encrypted:false
                    SSDEEP:3:J+uI2x9vYg0n:Jn1/0n
                    MD5:84606A6FE79BE410CAB5F652068C4046
                    SHA1:0E1C56DC7025B9CA6EF3C09B9B56306B86CA71C7
                    SHA-256:D3106A9A2105A843AFDA5712D5C975B4093AE4511F99C876077D18FDA8A81A49
                    SHA-512:71293DA5BC9A71EB2B439586354B24AEC258A3E69DE284278EE2AA45837C6EC3564607169C30D157C0359A70A0C0078D3B576A17DDD1DF3F936912F5599F6D40
                    Malicious:false
                    Preview:#.......9( ....c.lVJ.......P....

                    C:\Windows\SysWOW64\OAgent.ini

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (1991), with CRLF line terminators
                    Category:dropped
                    Size (bytes):11832
                    Entropy (8bit):2.667175001041187
                    Encrypted:false
                    SSDEEP:96:reFsNfzGu/FVbKE8jk2mpPTL1okyW3A9LNH6DxhJiI+JCzap5T0aecdy1:CFstzhvbKE8ihH1RyWA5NHAh3vaThnI1
                    MD5:93862F2D227A9EA9435CDE8FE66FE9D8
                    SHA1:583F6E6EB1B2E4832B627F59A604CFA0EF90085E
                    SHA-256:512B10127437CFE82E5B2D61D17FD28DFD8B66B1951D8129E38974CFC6ED68F8
                    SHA-512:2C23D6E4673CAA8B54B923C685A2E1F6BD15F125F40B84C58A1C7EB9448CCB9C10C4375A4E10F5371D259C4A91CCD49922F55CAF3D94EDF1352676760BEFFFAC
                    Malicious:false
                    Preview:..[.A.g.e.n.t.I.n.f.o.].....A.g.e.n.t.G.U.I.D.=.5.A.7.3.C.1.2.1.-.E.0.0.6.-.4.8.0.B.-.9.E.B.9.-.C.C.D.D.7.9.0.0.1.4.7.E.....A.g.e.n.t.I.D.T.i.m.e.C.o.u.n.t.e.r.=.B.4.0.0.0.0.0.0.....D.y.n.a.m.i.c.I.d.e.n.t.i.f.y.I.D.=.C.B.A.F.9.5.A.4.-.1.E.F.A.-.4.5.0.C.-.9.1.C.A.-.A.2.6.C.3.3.7.1.5.8.5.9.....[.A.g.e.n.t.C.o.n.f.i.g.].....A.I.D.=.0.1.0.0.0.1.0.0.....G.I.D.=.E.7.0.3.0.0.0.0.....S.I.P.=.5.9.3.0.7.D.2.D.....I.n.s.t.a.l.l.T.i.m.e.=.B.3.A.D.5.2.2.2.2.0.2.E.E.6.4.0.....O.U.T.O.F.L.I.C.E.N.S.E.2.=.0.1.0.0.0.0.0.0.....O.U.T.O.F.L.I.C.E.N.S.E.3.=.0.1.0.0.0.0.0.0.....O.U.T.O.F.L.I.C.E.N.S.E.4.=.0.1.0.0.0.0.0.0.....S.I.P.S.I.D.=.F.F.F.F.F.F.F.F.....S.N.a.m.e.S.I.D.=.F.F.F.F.F.F.F.F.....S.S.A.S.N.=.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.....A.I.D.I.n.f.o.2.=.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.0.0.0.0.0.0.0.2.0.0.0.

                    C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):32
                    Entropy (8bit):3.98345859334435
                    Encrypted:false
                    SSDEEP:3:J+qMetqRurt:JjMs/Z
                    MD5:34C1292AE0E2555C7E909CF4CB826055
                    SHA1:F3ACF6E789B9FD5836675EA5D943F8655ED3094B
                    SHA-256:565A6F3AC1C240C8FD6EBD10ECABD9D03E3CF70E0F53C13071192FA572BC6F88
                    SHA-512:8A7D8469DE547F92B7F8FFBAF2EDDE4BBDE0E7915450D2291BBB5793FCE077B4C68C94A2CA9F4DA00F9B7A7B12AC613CED649D341F4941F84DC7D0CFBEDE784F
                    Malicious:false
                    Preview:#.......=..r.@8.H..J..[Yt..l....

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_1_3_41

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):120
                    Entropy (8bit):3.9611859352069896
                    Encrypted:false
                    SSDEEP:3:bZB8vbdwRWxIIu4llB7OclAlDLqRI/lll:bZKvuRWuIH/BKcalDmK/
                    MD5:E4403A550F755E27A8C483C39EA6D9F0
                    SHA1:E077AC2BE5ED9BFCC28A064E51D58406DC7AE01B
                    SHA-256:649DE8F83423EBF83309E7871AFDA2188FB2879DE4232C4F9904D4917C399828
                    SHA-512:1CA461DEA7807F8738073748C94F74A2B7C2CADE0E29CD833BF0B0DBF362D1B2F7E3860EBC3481A669CA8137F0185FE1F03CC9CCF5A5A90AE7B4367E4CBDD2BD
                    Malicious:false
                    Preview:@..J..@l.T:......b.x..w...k.Pp.T..........(.E(.............................U.W.F.P.r.i.v.i.l.e.g.e.S.e.t.t.i.n.g.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_2_3_18467

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):112
                    Entropy (8bit):4.039064029711979
                    Encrypted:false
                    SSDEEP:3:bZB8vPu9P9D/lheW9Xa/5O3+l5hl:bZKvPu91LqwYh
                    MD5:3E6654008079C90B2D4F5453A91CEB1E
                    SHA1:0FC96EB72C2533D94AB4DD82A3540AB0D925CA33
                    SHA-256:B05C61543AD5DD634160CA43BDD0F53800FBEEC5E1B672617B8A4DFC249758E9
                    SHA-512:053E025D11D99AB7BED901CB45F862E2FD6D7E25EFFE96D100F70C0FE996A4AFB47443964D542C50CA210685E56B087C11E91FEF520421B87349C321B9351B95
                    Malicious:false
                    Preview:@..J..@l.T:.......[.y...*AC@.L..........9.s.;.2.........................U.W.F.P.o.l.i.c.y.C.o.n.f.i.g.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886546_3_3_6334

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):114
                    Entropy (8bit):4.113165628702379
                    Encrypted:false
                    SSDEEP:3:bZB8v/JObClX+4VU+DW7LXMRsyQsh/:bZKv/J8/4VnDWsqyQY/
                    MD5:867793F065C24188DAAC967349506A31
                    SHA1:F9A23F96651B972702437953273A7448BDF50CBC
                    SHA-256:C925E41CF141167DD3EB1F31F3A10DA3C4B2DA84F445CF44CD8F65B887D2768B
                    SHA-512:11A1D723749CEEEC4E6317ACEC7C02814712C9AA01094D60ED1C752B8C88E73A07B920A914A89CDAF7BB2720D19B083DEB1FD29488F9563DA4A48FE9265254E8
                    Malicious:false
                    Preview:@..J..@l.T:...........I;'.F..`.N.........&....q..R.........................U.W.F.C.u.r.r.e.n.t.S.t.a.t.u.s.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_17_21_37_5_4886562_4_3_26500

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):108
                    Entropy (8bit):4.19161817311922
                    Encrypted:false
                    SSDEEP:3:bZB8vVkLvr0//Zl/l5GlneEQsh/:bZKvV6r0bKlneEQY/
                    MD5:2A05153B81754931059A1DCDD3EF9176
                    SHA1:D23C72C87BFF3DFE247FF1054418C5597D530105
                    SHA-256:18816C44067A97ADF28538DAEF17736BB2190F4502C9DF64AB0A87E6828D225C
                    SHA-512:3811022A36E65370173C132E51B1B51B5AAD23B58388CF5A788EF93759D4EDE19E69596BC422F8873704F4ADD7D0D4395A245B059777F7977D128500FCAA9E9F
                    Malicious:false
                    Preview:@..J..@l.T:.....j..]"{[..&.9;..H........... .!A............................U.W.F.N.e.x.t.S.t.a.t.u.s.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_10_4890750_1_3_41

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:OpenPGP Public Key
                    Category:dropped
                    Size (bytes):84
                    Entropy (8bit):4.42629228747888
                    Encrypted:false
                    SSDEEP:3:vw7vXbkR/XE8+JMolZOclAlDLqRI/lll:vw7vXAZXV22calDmK/
                    MD5:C6AFB1789085A3AB4BD2AABB7582F6A2
                    SHA1:509D4E73B9343793216F0C528FC56FE357C6FB02
                    SHA-256:AB2C78442B8BE2EAE2C04211D1DFC1BC1BDD6B5C83206C4503E1CE4733B8E25F
                    SHA-512:7941BA804BA263E0D05B9561CD3E850E17FB86477BF6F9D0A1EDEDBF4020D0E058A3BB4A1239B95B50C7DE01C5EAC96759A43CDD73F3B2D0E9B87CDBC468CB20
                    Malicious:false
                    Preview:...U7.C..mS.....SZ..W3hL%..D.0.......U.W.F.P.r.i.v.i.l.e.g.e.S.e.t.t.i.n.g.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_12_4892671_3_3_18467

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:OpenPGP Public Key
                    Category:dropped
                    Size (bytes):76
                    Entropy (8bit):4.516267253592337
                    Encrypted:false
                    SSDEEP:3:vw7vXgwU3/q6ZO3+l5hl:vw7vX1UPyYh
                    MD5:47E5E2E3A4CC5B31309A66C65B1EEF68
                    SHA1:B23B22E6692B39F7C8951930BDB06AFC7961993B
                    SHA-256:6F2443E96CA9C7B34F2CA22B4D7F9AE2A94B422BB2FF5C1B4F46F0C1E115B389
                    SHA-512:CF926347CFADA8A86E320157FF0F8ABB1A690A4450A62CE7A80577A12E29541A4AB2B843A9EA6033637029DE9FB23D873D01F4E11F3B719D50C10E8C9EDC8AF0
                    Malicious:false
                    Preview:...U7.C..mS.....h.33....U...C(.......U.W.F.P.o.l.i.c.y.C.o.n.f.i.g.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_14_4895046_5_3_6334

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:OpenPGP Public Key
                    Category:dropped
                    Size (bytes):78
                    Entropy (8bit):4.521220427212312
                    Encrypted:false
                    SSDEEP:3:vw7vXY41ql3olZLXMRsyQsh/:vw7vXx1qfqyQY/
                    MD5:14EF11E142901355611F1125FF7A1464
                    SHA1:E3D03588ED9A40FFFC2016AE026E6F82BE06B497
                    SHA-256:8CE2AF761313038D42651CCE0D5D42D6D05DB6EF6C352F5047B3DDA138AC77C9
                    SHA-512:42AFBB594B862F5E0F7911E96359BC4EE748ADB8A6ACAD73C8B7124AF538346238E8796570FA6E810BBC147AF1F00B71A96E3026B144ED5297A5390FEA523BB2
                    Malicious:false
                    Preview:...U7.C..mS....6.%.N..r.;...*.......U.W.F.C.u.r.r.e.n.t.S.t.a.t.u.s.......

                    C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_17_21_37_16_4897140_7_3_26500

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:OpenPGP Public Key
                    Category:dropped
                    Size (bytes):72
                    Entropy (8bit):4.602391902661978
                    Encrypted:false
                    SSDEEP:3:vw7vXzKoAELTllZGlneEQsh/:vw7vX+oAEXlilneEQY/
                    MD5:DDE7C6F81CFB6AA4091156BD0B69008A
                    SHA1:6134397B79990AB4D6707AD299B8D031A8D82F4E
                    SHA-256:1BECADDF6DC7E897C561D77D31AE890B30F03FB3FBB489C99937BBEFA1E25536
                    SHA-512:1F733D03A7822343A8C9B1278EE16B7E24D66B6F18BBCCF57AD7852B35094B25BE38FE7443086DADF438F7F96AFA0B9CD1266283141C7B8D21452C13F5051E66
                    Malicious:false
                    Preview:...U7.C..mS....Af..9Ko.n$j.<l.$.......U.W.F.N.e.x.t.S.t.a.t.u.s.......

                    C:\Windows\SysWOW64\Ocular\OAgent.ini

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (1863), with CRLF line terminators
                    Category:dropped
                    Size (bytes):10902
                    Entropy (8bit):2.6693479707079604
                    Encrypted:false
                    SSDEEP:96:rK34o6/nvtY/MDEg9COaFlaKNx5fl89MksbCMasa3gsVxbgLq6DTr:23onF4MDxUlaKN/fl89nsbHasyx7bglr
                    MD5:8248706A449F328F71B5EFBD5975B4D3
                    SHA1:12794F83D7E127AF81F4B740F816F10FC325BCD5
                    SHA-256:BD04D4903E0DC2329ACD78E80060CED6CE0E98D803AF6908967E9646C8D5A38F
                    SHA-512:6D90116FCAFE23FAAD700763767747317941D41ED7F445ABB3C365C79DEBDB9C08139075713DA7F4EB6AB05FE508AF396E52E50CF45DAE9B6EBF52A8BBD0375F
                    Malicious:false
                    Preview:..[.A.g.e.n.t.I.n.f.o.].....A.g.e.n.t.G.U.I.D.=.9.D.2.4.1.D.B.6.-.1.0.9.0.-.4.F.C.5.-.8.1.9.A.-.8.A.6.9.2.3.7.E.6.7.E.0.....A.g.e.n.t.I.D.T.i.m.e.C.o.u.n.t.e.r.=.0.3.0.0.0.0.0.0.....D.y.n.a.m.i.c.I.d.e.n.t.i.f.y.I.D.=.7.3.4.7.D.3.8.9.-.C.5.E.B.-.4.E.0.C.-.A.F.D.E.-.1.9.E.8.0.5.1.C.9.A.9.1.....[.A.g.e.n.t.I.d.e.n.t.i.f.y.C.o.n.f.i.g.].....A.G.E.N.T.I.D.E.N.T.I.F.Y.I.T.E.M.3.=.0.1.0.0.0.1.0.0.B.6.1.D.2.4.9.D.9.0.1.0.C.5.4.F.8.1.9.A.8.A.6.9.2.3.7.E.6.7.E.0.0.A.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.0.0.0.6.5.8.7.4.C.8.0.0.A.0.6.0.A.0.0.0.1.0.0.0.0.0.0.5.7.0.0.6.9.0.0.6.E.0.0.6.4.0.0.6.F.0.0.7.7.0.0.7.3.0.0.2.0.0.0.3.1.0.0.3.0.0.0.0.0.0.0.3.3.0.0.3.6.0.0.3.7.0.0.3.7.0.0.3.0.0.0.3.6.0.0.0.0.0.0.4.3.0.0.3.A.0.0.5.C.0.0.5.7.0.0.6.9.0.0.6.E.0.0.6.4.0.0.6.F.0.0.7.7.0.0.7.3.0.0.0.0.0.0.0.0.0.0.E.C.F.4.B.B.4.5.F.6.9.F.....A.G.E.N.T.I.N.F.O.I.T.E.M._.2.=.A.4.0.0.0.1.0.0.0.6.0.0.0.0.0.0.0.B.0.2.A.8.C.0.0.0.0.0.0.0.0.0.D.2.2.7.7.D.D.2.B.C.2.E.E.6.4.0.0.0.0.0.0.4.0.0.0.D.0.0.0.0.0.0.0.0.0.0.0.4.0.0.0.

                    C:\Windows\SysWOW64\Ocular\OPolicy.ini

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (3082), with CRLF line terminators
                    Category:modified
                    Size (bytes):13900
                    Entropy (8bit):2.313683551111372
                    Encrypted:false
                    SSDEEP:192:wYdWwousLMcIf8475rVLRguQiMd4zgh2gbl+zcxxAXV:wYn755LS7gclMy4V
                    MD5:418A54408BA9A205BF610B3D988079BF
                    SHA1:0E2D1271F8DE82A53692384339BA5C1872356AAA
                    SHA-256:E0F521EA253882C42BE62D13278ADBADDBE067BE39918341DB5041A65F7F8C5B
                    SHA-512:2519525C927E082ACFA1EC32AC32B4D409B6595B888D260BBD20D2DEA1A374B080794748CC36692D6EE989DD4D512754FAB7654EAF9919F6388D2DB798FDEB41
                    Malicious:false
                    Preview:..[.S.n.a.p.s.h.o.t.P.o.l.i.c.y.]....._._.L.o.c.a.l._._.=.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.

                    C:\Windows\SysWOW64\Ocular\msagentclass.dat

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):116
                    Entropy (8bit):1.9437713370940948
                    Encrypted:false
                    SSDEEP:3:ywXVlv5l/5xW/2xW/0+l3b/Ykl/x+ln:9X5l/a/2xW/0+d/Ykl/Yln
                    MD5:0FEC84C804C35A414109AFA8A3FABFBE
                    SHA1:1282D2523FFCE262FDB4B4FD956BEBD92DDF4CCC
                    SHA-256:F2E8923890920AB98AF65E064100C9AA16265444050A850DEA123F393D33709B
                    SHA-512:6CB98299345C2509E1A7B78C2BDF6C73D85954E2ACF78B43DE731AED44A97F33B6EF60CDA61F4B78C84EDADF2162EA096A49449AAD6E90359DBEC331904461B5
                    Malicious:false
                    Preview:TS..O8C3................................................REC.........REC.........REC.........REC.........REC.........

                    C:\Windows\SysWOW64\Ocular\msmailboxcalss.dat (copy)

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):68
                    Entropy (8bit):1.4879933542381731
                    Encrypted:false
                    SSDEEP:3:y+klt/9lv5CS/l/:RkX5Xl/
                    MD5:B2A694142B2B98F1C5B41F6D28D02CE6
                    SHA1:547CE4E42BBE81A358D6866A1A5B194EE2D5720E
                    SHA-256:21F56710A7667C48FD5993A2B42AEEE519527BFD36075BA0A11DFC0BEC583F0E
                    SHA-512:6CDB6417BA0AD61AA13FE9E27E33BBB4EA29DA37969459A9EF5ED054C2822139DDA1E7C2F00FBA5D43683DDC7603546FA610E813C9F76DC34067D3CCE7A14E9C
                    Malicious:false
                    Preview:TS..OWUA................................................REC.........

                    C:\Windows\SysWOW64\Ocular\msmailboxcalss_cache.dat

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):68
                    Entropy (8bit):1.4879933542381731
                    Encrypted:false
                    SSDEEP:3:y+klt/9lv5CS/l/:RkX5Xl/
                    MD5:B2A694142B2B98F1C5B41F6D28D02CE6
                    SHA1:547CE4E42BBE81A358D6866A1A5B194EE2D5720E
                    SHA-256:21F56710A7667C48FD5993A2B42AEEE519527BFD36075BA0A11DFC0BEC583F0E
                    SHA-512:6CDB6417BA0AD61AA13FE9E27E33BBB4EA29DA37969459A9EF5ED054C2822139DDA1E7C2F00FBA5D43683DDC7603546FA610E813C9F76DC34067D3CCE7A14E9C
                    Malicious:false
                    Preview:TS..OWUA................................................REC.........

                    C:\Windows\SysWOW64\Ocular\msmailboxidentify.dat (copy)

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):56
                    Entropy (8bit):1.1454678501138729
                    Encrypted:false
                    SSDEEP:3:y+ml//l9ln:Rm1
                    MD5:BF777B127EE66875E2B08174B00BBC07
                    SHA1:02EF38EB3FAD07CC2E795E33DAE9AD44CC1DE976
                    SHA-256:35C1AB113184120707B157D06E26AE834A48914EA0E313EA74EFDEBC7BA2E059
                    SHA-512:5F03FB5D7D8A3286452DC9D71E0F8369835C172C2179CA94FC81DDDEEB9F17F4404AEB2EA3C483809111CBE3F8741AD2C513A239E303B09F46E0230EC926DB07
                    Malicious:false
                    Preview:TS..OWUC................................................

                    C:\Windows\SysWOW64\Ocular\msmailboxidentify_cache.dat

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):56
                    Entropy (8bit):1.1454678501138729
                    Encrypted:false
                    SSDEEP:3:y+ml//l9ln:Rm1
                    MD5:BF777B127EE66875E2B08174B00BBC07
                    SHA1:02EF38EB3FAD07CC2E795E33DAE9AD44CC1DE976
                    SHA-256:35C1AB113184120707B157D06E26AE834A48914EA0E313EA74EFDEBC7BA2E059
                    SHA-512:5F03FB5D7D8A3286452DC9D71E0F8369835C172C2179CA94FC81DDDEEB9F17F4404AEB2EA3C483809111CBE3F8741AD2C513A239E303B09F46E0230EC926DB07
                    Malicious:false
                    Preview:TS..OWUC................................................

                    C:\Windows\SysWOW64\Ocular\msodhash3.dat

                    Download File
                    Process:C:\Windows\SysWOW64\winrdlv3.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):6440
                    Entropy (8bit):2.703437557196804
                    Encrypted:false
                    SSDEEP:48:O/B+9B/ky/oUlCF//64xmxQ3Nm/zF0ivFz2WF:O/BUWy/5e//647OPF
                    MD5:01BA7A1E3DDF180EFADB2912C76015F2
                    SHA1:0E7B694453C862C1756092FD0BC9FE51281E3AC7
                    SHA-256:8EE4BEC263EA8F8BA4E6DAB92DC83EAD34BE842C3CA5B3CBFAD8B162FFA61862
                    SHA-512:774FA7A601B3ACDC41AA346F790C81AE9055FAC0323D4F36DAB070926F4B92C64E8389CFC625B7424D37F2D26985B9300E71C6D58D672223398B14F7EC09F62E
                    Malicious:false
                    Preview:TS..ODH3................@.......................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................

                    C:\Windows\SysWOW64\bakrdgv3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1802728
                    Entropy (8bit):6.520593089987922
                    Encrypted:false
                    SSDEEP:24576:I1iQzjPLwVa0gzIkUeSr18gU9W36RO5TsHKGaXDx0hl:Iz5zISSrqW36I7FXDx0hl
                    MD5:97AC3EF2E098C4CB7DD6EC1D14DC28F1
                    SHA1:3E78E87EEFE45F8403E46D94713B6667AEE6D9C9
                    SHA-256:A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
                    SHA-512:693E90DA2581306A1F9BB117142429301C7DC28A8CAF623C4DFC21F735C53C4502E2B58A5EBDBD8C568DFD3393D1687428F1934F4C28B4FC715EB8F856AC02CD
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.........................................w......?.....?....3.....Rich...........................PE..L.....lc.................P...................`....@.................................D........................................"..........P...........h0...Q...........i...............................................`...............................text....F.......P.................. ..`.rdata.......`.......`..............@..@.data.......`.......`..............@....rsrc...P............ ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\SysWOW64\bakstec3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2421224
                    Entropy (8bit):6.490220533880386
                    Encrypted:false
                    SSDEEP:24576:mrmoCH/siu9xQBvJ4TyKyCdgjBXj0jHy3WBZ3cRDusH192mdoEtPg+61zpw94I25:mhxaM+7g+Kzq4I28/1eKle7mLXyn0Lw
                    MD5:B9E0A7CBD7FDB4D179172DBDD453495A
                    SHA1:7F1B18A2BEE7DEFA6DB4900982FD3311AABED50D
                    SHA-256:CB72B724C5F57E83CC5BC215DD522C566E0EA695B9E3D167EED9BE3F18D273CE
                    SHA-512:720985495B67E87F6ECF62268D7DC8FECDB7C06CF9606CE1A12CE4EA741DD3D46A759420E02EC54BC6E96E49D37A2E19AC307093B1228C01914C8E632A8D373C
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................4.............................9...................|...}.......Rich............PE..L.....lc..........................................@...........................%......q%.....................................XX!.@.....%.H...........h.$..Q.......... ................................................................................text...b........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc...H.....%.......$.............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\SysWOW64\msodhash3.dat

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):6440
                    Entropy (8bit):2.611395388334064
                    Encrypted:false
                    SSDEEP:48:O/BO1h/kK/coy/cR/dLCk5o4cw3nq84rubl6yxU3pK/6LIOqSb4l:O/Bs2K/Ry/kLfRY3p57zo
                    MD5:4833D1B03D03DDCCA0F0CF5DD8DA3B30
                    SHA1:7B024506119792C930D3C124B5C657EF39621A02
                    SHA-256:7C14B529CC521CBE9B74DC4E4B6389A6B49BEEBE1E68E9F3AD377A3C6124CA7C
                    SHA-512:045503A09EB069AE3C3618EA0AA31FA8E08AD69F34B231C50BB5B8053C6E470BBAD783D9B99C3458EECBAB4B6DC18A7EB47C003DA58E0F1D9ACFEB77F16EEAD7
                    Malicious:false
                    Preview:TS..ODH3................@.......................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................REC..c..............................................................

                    C:\Windows\SysWOW64\winoav3.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14361064
                    Entropy (8bit):6.500004536427748
                    Encrypted:false
                    SSDEEP:196608:SPDuLJR9PL40/Rau8ik8lqRls5lzrZVlV03gHn4rj/L:vt8MYRlsDppf4rDL
                    MD5:3AE42CB8A028C5BE3F57575342BBB56D
                    SHA1:2939396B9069D4B46FEBC047B13CE2C30DE7E886
                    SHA-256:0E0EFB65F52F8AE90F1227AAFDDB1BD23803229497FC82C5C458C8D6EB83A609
                    SHA-512:F4E5C0FF991FC907049171F8BC0AC763462E081B411547A3B24F7D57B51A73FB2C3D0A8DAF5CCCB0DDD8970ED5C81BAF3A2C8E5B22EB3CCDC672A1E1AA01AE24
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Windows\SysWOW64\winoav3.dll, Author: Joe Security
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 1%, Browse
                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........j...9...9...9<..9...9.<.9...9...9...9...9...9...9...9Z..9...9...9...9W..9...9.8.9:..9<..9...9...9...9...9...9.8.9}..9...9...9+>.9...9Rich...9................PE..L...?i.c...........!..........I.....+.e..............................................................................Y...............P.............h....Q..........0...................................................(............................text............................... ..`.rdata...J.......P..................@..@.data.....+..`....$..`..............@....rsrc.......P.......`..............@..@.reloc.............................@..B........................................................................................................................................................................................................................................................................

                    C:\Windows\SysWOW64\winrdlv3.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):58640
                    Entropy (8bit):4.987085254759881
                    Encrypted:false
                    SSDEEP:768:aYNaVzGJ6dKwFGeThZF1oGPh4xFn2MpDGNxvTp23+zjo1:aEaVzGvwFGefoGyjcM0o1
                    MD5:0CBEB75D3090054817EA4DF0773AFE35
                    SHA1:58C543A84DC18E21D86AD2C011D8AC726867FB78
                    SHA-256:453E2290939078C070E46896B2D991F31D295BBC1C63059B10F3C24CAD7C4822
                    SHA-512:F3AB9F393DA18DF2CFC22020627E72AE9E7C7B47DB088AAF0FA773028C96D0E7E3D4127082B59296EECFC9C60D389A43C78BA0A4348B0F6CEB76CC8978BA649C
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 3%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...Xv..Xv..Xv..Dz..Xv..Dx..Xv..~|..Xv..Ge..Xv..Xw..Xv..~}..Xv.P^p..Xv.Rich.Xv.................PE..L......`.................P...P...............`....@.................................F.......................................Td..(...................P....4...........`...............................................`...............................text...0E.......P.................. ..`.rdata.......`.......`..............@..@.data....)...p...0...p..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\SysWOW64\winwdgv3.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2208232
                    Entropy (8bit):6.655043465468702
                    Encrypted:false
                    SSDEEP:24576:ZlX1wCmSn/ggkRk9XJ4QkOHE5/H8ZZsjLAAhHoMapx1XyM05g8wWT3Q80I:HRZR5vkIE5P88hAFXyM05IWk8D
                    MD5:0AED8F70A00060F8005EFA8D1C668B98
                    SHA1:C75FE3D1A2476DA55F526D366F73BEDBFD56F32A
                    SHA-256:326ABF1AF467670DE571252BFD8118B9EA0B8A3BABC10DF092FFFC2DA3E11671
                    SHA-512:738F9CBD6F693647D8B091D7192DB8963E2C4ECB179CE1B5C7A81F56045674694FAED7FDF88AF5D7E144149D86DF167D9ADF6460E3905024FAF526C08F7DC787
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r..r..r...y..r..~..r...a..r..r..r.).|..r..x..r..s...r..a..r..y...r.m.t..r.U.v..r.Rich..r.........PE..L.....lc...........!..........................................................".....0."..............................A..........,.....!.P...........h`!..Q... !.(...0...................................................(............................text............................... ..`.rdata..tR.......`..................@..@.data...|....P...@...P..............@....rsrc...P.....!.....................@..@.reloc..2.... !.....................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Windows\System32\winwdgv364.dll

                    Download File
                    Process:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):1326464
                    Entropy (8bit):6.399945075671774
                    Encrypted:false
                    SSDEEP:24576:YunZ2BYJf0ZF1H+V7o+9Ql7Dm2E6WJ6pFgGJifEozVlFQQr11tO+F2lE4i1d8g1O:FmAf0BH+Vs+9CG2E6WJ6pOGJYFzV7QQO
                    MD5:889482A07BA13FC6E194A63D275A850A
                    SHA1:16A164FDED3352ABB63722A5C74750CDC438F99A
                    SHA-256:799D176813C3D0F5A01FD482576AEAB6A63E5024F3392E7974F5E437C3D7E3A0
                    SHA-512:E5CB9CF49120ED20B07FACEEFCCEF24DA4335F28F49D9AE7BFAFCCBC9A239C4039E9CE5F5D13B49D0BE475B3913311D08B7D70A1A2DF0C974D4C5A5F7BEC507A
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 1%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PGI..&'..&'..&'..h...&'.{P...''.{P...&'..^...&'..^...&'..^...&'..&&.M''.{P...&'.{P...&'.4....&'.{P...&'.Rich.&'.........PE..d...-.lc.........." .................x..............................................=.....@..........................................f......<A.......@.......@...........Q...P...8..P................................................................................text............................... ..`.rdata..FW.......X..................@..@.data........p...L...\..............@....pdata.......@......................@..@.rsrc........@......................@..@.reloc...C...P...D..................@..B........................................................................................................................................................................................................................................................

                    C:\Windows\bakoav3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):14361064
                    Entropy (8bit):6.500004536427748
                    Encrypted:false
                    SSDEEP:196608:SPDuLJR9PL40/Rau8ik8lqRls5lzrZVlV03gHn4rj/L:vt8MYRlsDppf4rDL
                    MD5:3AE42CB8A028C5BE3F57575342BBB56D
                    SHA1:2939396B9069D4B46FEBC047B13CE2C30DE7E886
                    SHA-256:0E0EFB65F52F8AE90F1227AAFDDB1BD23803229497FC82C5C458C8D6EB83A609
                    SHA-512:F4E5C0FF991FC907049171F8BC0AC763462E081B411547A3B24F7D57B51A73FB2C3D0A8DAF5CCCB0DDD8970ED5C81BAF3A2C8E5B22EB3CCDC672A1E1AA01AE24
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Windows\bakoav3.sys, Author: Joe Security
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 1%, Browse
                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........j...9...9...9<..9...9.<.9...9...9...9...9...9...9...9Z..9...9...9...9W..9...9.8.9:..9<..9...9...9...9...9...9.8.9}..9...9...9+>.9...9Rich...9................PE..L...?i.c...........!..........I.....+.e..............................................................................Y...............P.............h....Q..........0...................................................(............................text............................... ..`.rdata...J.......P..................@..@.data.....+..`....$..`..............@....rsrc.......P.......`..............@..@.reloc.............................@..B........................................................................................................................................................................................................................................................................

                    C:\Windows\bakrdgv3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1802728
                    Entropy (8bit):6.520593089987922
                    Encrypted:false
                    SSDEEP:24576:I1iQzjPLwVa0gzIkUeSr18gU9W36RO5TsHKGaXDx0hl:Iz5zISSrqW36I7FXDx0hl
                    MD5:97AC3EF2E098C4CB7DD6EC1D14DC28F1
                    SHA1:3E78E87EEFE45F8403E46D94713B6667AEE6D9C9
                    SHA-256:A3D817490804A951BAC1C7B1EA6F48AED75BAEC7E3B4E31BE4FBD1FE82860BB1
                    SHA-512:693E90DA2581306A1F9BB117142429301C7DC28A8CAF623C4DFC21F735C53C4502E2B58A5EBDBD8C568DFD3393D1687428F1934F4C28B4FC715EB8F856AC02CD
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 4%
                    • Antivirus: Virustotal, Detection: 4%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.........................................w......?.....?....3.....Rich...........................PE..L.....lc.................P...................`....@.................................D........................................"..........P...........h0...Q...........i...............................................`...............................text....F.......P.................. ..`.rdata.......`.......`..............@..@.data.......`.......`..............@....rsrc...P............ ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\bakrdlv3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):58640
                    Entropy (8bit):4.987085254759881
                    Encrypted:false
                    SSDEEP:768:aYNaVzGJ6dKwFGeThZF1oGPh4xFn2MpDGNxvTp23+zjo1:aEaVzGvwFGefoGyjcM0o1
                    MD5:0CBEB75D3090054817EA4DF0773AFE35
                    SHA1:58C543A84DC18E21D86AD2C011D8AC726867FB78
                    SHA-256:453E2290939078C070E46896B2D991F31D295BBC1C63059B10F3C24CAD7C4822
                    SHA-512:F3AB9F393DA18DF2CFC22020627E72AE9E7C7B47DB088AAF0FA773028C96D0E7E3D4127082B59296EECFC9C60D389A43C78BA0A4348B0F6CEB76CC8978BA649C
                    Malicious:true
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...Xv..Xv..Xv..Dz..Xv..Dx..Xv..~|..Xv..Ge..Xv..Xw..Xv..~}..Xv.P^p..Xv.Rich.Xv.................PE..L......`.................P...P...............`....@.................................F.......................................Td..(...................P....4...........`...............................................`...............................text...0E.......P.................. ..`.rdata.......`.......`..............@..@.data....)...p...0...p..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\bakstec3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2421224
                    Entropy (8bit):6.490220533880386
                    Encrypted:false
                    SSDEEP:24576:mrmoCH/siu9xQBvJ4TyKyCdgjBXj0jHy3WBZ3cRDusH192mdoEtPg+61zpw94I25:mhxaM+7g+Kzq4I28/1eKle7mLXyn0Lw
                    MD5:B9E0A7CBD7FDB4D179172DBDD453495A
                    SHA1:7F1B18A2BEE7DEFA6DB4900982FD3311AABED50D
                    SHA-256:CB72B724C5F57E83CC5BC215DD522C566E0EA695B9E3D167EED9BE3F18D273CE
                    SHA-512:720985495B67E87F6ECF62268D7DC8FECDB7C06CF9606CE1A12CE4EA741DD3D46A759420E02EC54BC6E96E49D37A2E19AC307093B1228C01914C8E632A8D373C
                    Malicious:true
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................4.............................9...................|...}.......Rich............PE..L.....lc..........................................@...........................%......q%.....................................XX!.@.....%.H...........h.$..Q.......... ................................................................................text...b........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc...H.....%.......$.............@..@........................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\bakwdgv3.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2208232
                    Entropy (8bit):6.655043465468702
                    Encrypted:false
                    SSDEEP:24576:ZlX1wCmSn/ggkRk9XJ4QkOHE5/H8ZZsjLAAhHoMapx1XyM05g8wWT3Q80I:HRZR5vkIE5P88hAFXyM05IWk8D
                    MD5:0AED8F70A00060F8005EFA8D1C668B98
                    SHA1:C75FE3D1A2476DA55F526D366F73BEDBFD56F32A
                    SHA-256:326ABF1AF467670DE571252BFD8118B9EA0B8A3BABC10DF092FFFC2DA3E11671
                    SHA-512:738F9CBD6F693647D8B091D7192DB8963E2C4ECB179CE1B5C7A81F56045674694FAED7FDF88AF5D7E144149D86DF167D9ADF6460E3905024FAF526C08F7DC787
                    Malicious:true
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r..r..r...y..r..~..r...a..r..r..r.).|..r..x..r..s...r..a..r..y...r.m.t..r.U.v..r.Rich..r.........PE..L.....lc...........!..........................................................".....0."..............................A..........,.....!.P...........h`!..Q... !.(...0...................................................(............................text............................... ..`.rdata..tR.......`..................@..@.data...|....P...@...P..............@....rsrc...P.....!.....................@..@.reloc..2.... !.....................@..B................................................................................................................................................................................................................................................................................................................

                    C:\Windows\bakwdgv364.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):1326464
                    Entropy (8bit):6.399945075671774
                    Encrypted:false
                    SSDEEP:24576:YunZ2BYJf0ZF1H+V7o+9Ql7Dm2E6WJ6pFgGJifEozVlFQQr11tO+F2lE4i1d8g1O:FmAf0BH+Vs+9CG2E6WJ6pOGJYFzV7QQO
                    MD5:889482A07BA13FC6E194A63D275A850A
                    SHA1:16A164FDED3352ABB63722A5C74750CDC438F99A
                    SHA-256:799D176813C3D0F5A01FD482576AEAB6A63E5024F3392E7974F5E437C3D7E3A0
                    SHA-512:E5CB9CF49120ED20B07FACEEFCCEF24DA4335F28F49D9AE7BFAFCCBC9A239C4039E9CE5F5D13B49D0BE475B3913311D08B7D70A1A2DF0C974D4C5A5F7BEC507A
                    Malicious:true
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PGI..&'..&'..&'..h...&'.{P...''.{P...&'..^...&'..^...&'..^...&'..&&.M''.{P...&'.{P...&'.4....&'.{P...&'.Rich.&'.........PE..d...-.lc.........." .................x..............................................=.....@..........................................f......<A.......@.......@...........Q...P...8..P................................................................................text............................... ..`.rdata..FW.......X..................@..@.data........p...L...\..............@....pdata.......@......................@..@.rsrc........@......................@..@.reloc...C...P...D..................@..B........................................................................................................................................................................................................................................................

                    C:\Windows\win.ini

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\7z.exe
                    File Type:Generic INItialization configuration [extensions]
                    Category:dropped
                    Size (bytes):3443
                    Entropy (8bit):3.782143742362491
                    Encrypted:false
                    SSDEEP:48:ZpccIVf4WAceYI9hmzqcUoeG9CVuHpQrf:ZpccMf89hQUVuHwf
                    MD5:210E4584E9309A18A26DB1D2781B6DCE
                    SHA1:913154C4A494FC34FBBC622C90F392A2AE6532D5
                    SHA-256:4A7721DD7742DDEB91B7477DC7CDFFD13E26FF32EBF064BA996EB27227DD9A58
                    SHA-512:F94B90420D2C6F5F3634860261FE1792460D949FB600ED7CDA3091D363A877D2F36028B443AA5947AB9B8051FE5F4FAEAC28073C1864CFF2FB2CCE907F3F4ECF
                    Malicious:false
                    Preview:; for 16-bit app support..[fonts]..[extensions]..[mci extensions]..[files]..[Mail]..MAPI=1..[ED30_8AC4_11D5_8930_A730]..OUTOFLICENSEEX=010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000..OUTOFLICENSE4=1..OUTOFLICENSE3=1..OUTOFLICENSE2=1..AID=65700..GID=999..SIP=763179097..SIPD=4294967295..SNameSID=4294967295..InstallTime=D2277DD2BC2EE640..SName=..AIDInfo2=000000000000000006000000020000000200000043003A005C00570049004E0044004F0057005300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Entropy (8bit):7.998967238875457
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 92.16%
                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:#U8fdd#U89c4#U540d#U5355.exe
                    File size:14'038'624 bytes
                    MD5:5d84e6ed7d8e9b89fae2771d6870393e
                    SHA1:fee5fe80e8cf95156c1129079747729f9ad54cef
                    SHA256:193a19a4d22e3f959cd43b0aa05c11a3793283a27f9af95e8d468693277ef128
                    SHA512:a97e087431345b7098c9c8d2bfa517f2a229b10deb4f1c142495e8a3de78461e40d04bb965534f30d2a67c358a2120e01783517756e4d59df4d6c046f56818c4
                    SSDEEP:196608:wH5YImLyHSWpi627ofHc1fO2y01Hi/eLspPrf085u/AgponDcMWTjiNvGfi8T9jY:wwSSiz/cO/qC/qspD8TaDtefNT9jY
                    TLSH:29E63381D0455CDEF25AA0B7A4C0C19899D55B099B386F6922FBF872F63A6D33783C07
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....f.R.................`...|......;2.......p....@

                    File Icon

                    Icon Hash:6de86a969696cc6d

                    Static PE Info

                    General

                    Entrypoint:0x40323b
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    DLL Characteristics:TERMINAL_SERVER_AWARE
                    Time Stamp:0x52BA66BB [Wed Dec 25 05:01:47 2013 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:59a4a44a250c4cf4f2d9de2b3fe5d95f

                    Entrypoint Preview

                    Instruction
                    sub esp, 00000184h
                    push ebx
                    push ebp
                    push esi
                    xor ebx, ebx
                    push edi
                    mov dword ptr [esp+18h], ebx
                    mov dword ptr [esp+10h], 00409130h
                    mov dword ptr [esp+20h], ebx
                    mov byte ptr [esp+14h], 00000020h
                    call dword ptr [00407034h]
                    push 00008001h
                    call dword ptr [004070B4h]
                    push ebx
                    call dword ptr [0040728Ch]
                    push 00000008h
                    mov dword ptr [0042E478h], eax
                    call 00007F5AC15E1FA2h
                    mov dword ptr [0042E3C4h], eax
                    push ebx
                    lea eax, dword ptr [esp+38h]
                    push 00000160h
                    push eax
                    push ebx
                    push 00428800h
                    call dword ptr [00407164h]
                    push 004091E4h
                    push 0042DBC0h
                    call 00007F5AC15E1C4Ch
                    call dword ptr [004070B0h]
                    mov ebp, 00434000h
                    push eax
                    push ebp
                    call 00007F5AC15E1C3Ah
                    push ebx
                    call dword ptr [00407118h]
                    cmp byte ptr [00434000h], 00000022h
                    mov dword ptr [0042E3C0h], eax
                    mov eax, ebp
                    jne 00007F5AC15DF1FCh
                    mov byte ptr [esp+14h], 00000022h
                    mov eax, 00434001h
                    push dword ptr [esp+14h]
                    push eax
                    call 00007F5AC15E16CAh
                    push eax
                    call dword ptr [00407220h]
                    mov dword ptr [esp+1Ch], eax
                    jmp 00007F5AC15DF2B5h
                    cmp cl, 00000020h
                    jne 00007F5AC15DF1F8h
                    inc eax
                    cmp byte ptr [eax], 00000020h
                    je 00007F5AC15DF1ECh

                    Rich Headers

                    Programming Language:
                    • [EXP] VC++ 6.0 SP5 build 8804

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000xbb90.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x5f520x60004a17c912e054bd7e689058c6e023d24bFalse0.6734212239583334data6.482844752733138IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x70000x12da0x14000c7782eb506f624e867e0814d74757b0False0.438671875data5.098239122979059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x90000x254b80x400b0a8c6c425968dda759cc449cbca4651False0.6416015625data5.095969613313189IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .ndata0x2f0000x80000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x370000xbb900xbc00c63d58071faf4726f9cfe8ad6e0476feFalse0.15452543218085107data3.5948245523656785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0x372980x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.06654463863958432
                    RT_ICON0x3b4c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.08952282157676349
                    RT_ICON0x3da680x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 0EnglishUnited States0.11257396449704142
                    RT_ICON0x3f4d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.13836772983114445
                    RT_ICON0x405780xe78PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8917386609071274
                    RT_ICON0x413f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.1930327868852459
                    RT_ICON0x41d780x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 0EnglishUnited States0.22209302325581395
                    RT_ICON0x424300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.2925531914893617
                    RT_DIALOG0x428980x100dataEnglishUnited States0.5234375
                    RT_DIALOG0x429980x11cdataEnglishUnited States0.6056338028169014
                    RT_DIALOG0x42ab80x60dataEnglishUnited States0.7291666666666666
                    RT_GROUP_ICON0x42b180x76dataEnglishUnited States0.7542372881355932

                    Imports

                    DLLImport
                    KERNEL32.dllGetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, CloseHandle, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, GetTempPathA, GetWindowsDirectoryA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
                    USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                    SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                    ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                    ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 18, 2024 03:37:05.278490067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:05.283536911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:05.283641100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:06.359293938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:06.366071939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:06.371007919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:06.746124029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:06.768487930 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:06.773541927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:07.148797989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:07.150108099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:07.155150890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:07.529858112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:07.584635019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:07.644191027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:07.649522066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:08.042320967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:08.077157974 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:08.082220078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:08.456945896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:08.506551981 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:09.634727001 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:09.639755011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:10.024750948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:10.024960041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:10.029961109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:10.410840988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:10.459615946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:10.917733908 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:10.925514936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.287419081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.287446976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.287461042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.287528992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.288949966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.289226055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.291697979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.292181969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.292206049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.292373896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295030117 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295137882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295181036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295211077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295238972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295249939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295304060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295555115 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295578003 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295618057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295639038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295661926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295810938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.295844078 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.296035051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.296138048 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.300662041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.302443027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.302443027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.302645922 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.302679062 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.302773952 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.302819014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303005934 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303006887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303042889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303117990 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303164005 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303179979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.303206921 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308069944 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308080912 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308115005 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308269978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308521986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308794975 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308831930 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.308855057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.311820984 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312299013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312320948 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312345982 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312376022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312506914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312525988 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312585115 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312695980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312695980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.312720060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.313077927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313095093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313105106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313114882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313124895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313134909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313143969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313153982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313163042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313173056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313182116 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313190937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313200951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313210011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313219070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.313230038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.317986965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.318006992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.318017960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.318027973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.322753906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.322774887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.322783947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.387039900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387168884 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387182951 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387203932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387223959 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387247086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387260914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387276888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387295008 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387588024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387612104 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387653112 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.387670040 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.392263889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.397552967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.402308941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.414351940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.414423943 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417670012 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417702913 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417722940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417752981 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417774916 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417843103 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417859077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417903900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417922974 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417949915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.417968988 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.418071985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.418108940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.419523001 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.420613050 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.420631886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.422470093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.425954103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.425978899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.431122065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.443996906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.444017887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.449486017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.453449965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.465092897 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.465107918 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.465118885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.465162039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.479950905 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.480042934 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.480060101 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.480084896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.480112076 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.481462955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.482841969 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.482986927 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483011007 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483047962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483076096 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483094931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483119965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483143091 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.483165979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485728979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485841990 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485924006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485949993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485970020 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.485990047 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486008883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486028910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486078978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486078978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486097097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486361980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486387014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486407042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486424923 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486449957 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486470938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486490011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486506939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486527920 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486546040 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486577034 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486603022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486603022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486623049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.486638069 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.492197990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.492223024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.492234945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.501454115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.501472950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.501485109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.501494884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.549021959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.691231012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.691543102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.691679001 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.743082047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.743097067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.892035961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.892266989 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.897444963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:11.945343018 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.945393085 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968401909 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968445063 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968471050 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968491077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968514919 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968533039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968553066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968579054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968604088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:11.968622923 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.025002003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025017977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025027990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025038004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025048018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025058031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025067091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025077105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025087118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025095940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025105953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.025115967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.380594015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.380934954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.385885000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.545429945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.545599937 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.546113014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.549216986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.550582886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.551870108 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.555476904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.558481932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.558612108 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.560281992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.565007925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.613100052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.613121986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.764306068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.764921904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.764964104 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.770108938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.775090933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.979245901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.983516932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.989757061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:12.993666887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.995651007 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:12.998806000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.003753901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.149874926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.150269032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:13.155209064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.314821959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.339724064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:13.344708920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.504292011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.505136013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:13.510267973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.776370049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.776567936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:13.781619072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.941169977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:13.990855932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.067471027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.072570086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.073996067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.078867912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.244847059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.245042086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.250107050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.447258949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.447984934 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.453756094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.613769054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.614041090 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.619627953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.779280901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.779472113 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.784430981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.944638968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:14.977843046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:14.982886076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.142642021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.143282890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.143316031 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.148272038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.153362036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.359584093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.360138893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.365019083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.524574995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.524749994 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.529685974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.690175056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.702346087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.707276106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.866808891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:15.870578051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:15.875556946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.135344028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.135514975 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:16.140590906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.320234060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.344849110 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:16.350172997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.512273073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.512733936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:16.518316984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.677437067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.677620888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:16.682708979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.843175888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:16.843450069 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:16.848467112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.010160923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.031755924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.129153967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.225904942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.226527929 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.226552010 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.231502056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.236352921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.385118008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.385330915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.390245914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.550234079 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.550918102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.555763006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.777441025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.808137894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:17.813121080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.991648912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:17.995254993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.000138044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.159816027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.160142899 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.166115999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.326425076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.359862089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.403467894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.538918018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.539607048 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.545681953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.716161013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.717942953 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.723069906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.891664028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:18.907907009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:18.913414955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.074215889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.115847111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.252657890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.260174036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.275053024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.275275946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.324183941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.420330048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.420892000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.425951958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.636229992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.641935110 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.648154020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.928143978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.928986073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.929212093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:19.936162949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:19.941447020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.108283043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.133142948 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:20.138329983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.410645008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.410939932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:20.426959038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.593427896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.594007015 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:20.598854065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.876216888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:20.876502991 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:20.881562948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.070586920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.115885973 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:21.137847900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:21.142796040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.348531008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.348814011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:21.353705883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.532485962 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.533081055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:21.538028955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.848481894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:21.848750114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:21.853637934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.013170958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.047861099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:22.052896023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.319318056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.319554090 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:22.372447014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.519011974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:22.519629955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:22.524535894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.230984926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.231219053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:23.236180067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.264326096 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:23.269260883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.714291096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.714504004 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:23.719367027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.882122993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:23.882626057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:23.889684916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.193114996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.193317890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:24.198386908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.358377934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.369915009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:24.375588894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.685920954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.686104059 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:24.691081047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.851021051 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:24.858778954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:24.864084959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.165911913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.166070938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:25.170957088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.331012011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.341296911 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:25.346347094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.638365984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.638607025 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:25.643551111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.848463058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:25.897197962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:26.034986019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:26.040436029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:26.166394949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:26.166568041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:26.171536922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:26.414390087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:26.459670067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:26.709628105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:26.756608009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:27.453905106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:27.453959942 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:27.458939075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:27.509066105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:27.832303047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:27.832832098 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:27.837733984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:28.534152985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:28.534354925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:28.540172100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:28.546096087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:28.552052021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:28.994052887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:28.994317055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:28.999289989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:29.178587914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:29.179069042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:29.184124947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:29.488919020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:29.489108086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:29.494565964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:30.116305113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:30.127342939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:30.127371073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:30.133512020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:30.139650106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:30.638873100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:30.641634941 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:30.646661043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.199534893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.199759007 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:31.205269098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.213839054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:31.219110012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.688288927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.688608885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:31.693591118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.865082979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:31.865729094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:31.870784044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:32.167790890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:32.170348883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:32.175287008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:32.334903002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:32.351113081 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:32.356354952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.065222979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.065615892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:33.065891027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:33.070636034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.075460911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.542699099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.545788050 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:33.552087069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.711558104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:33.721713066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:33.728302002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.019174099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.019469023 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:34.024549007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.189419031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.189910889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:34.194847107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.494828939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.495084047 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:34.500216961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.725738049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:34.742110968 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:34.748009920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.031747103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.032006025 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:35.042831898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.213824034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.214514017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:35.235877037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.539541006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.539848089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:35.553467989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.745073080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:35.782215118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:35.796364069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.187927961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.188930988 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:36.194010019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.570549965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.590653896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:36.595670938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.971560001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:36.972362995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:36.977257967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:37.353482008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:37.380800962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:37.385759115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:37.774509907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:37.775473118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:37.837924957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.160212040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.174365997 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:38.179399967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.554824114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.555707932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:38.560770988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.934386015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:38.945976019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:38.950928926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:39.326302052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:39.327116966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:39.332094908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:39.693945885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:39.708509922 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:39.713589907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.089027882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.089786053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:40.094711065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.469945908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.479935884 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:40.485001087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.856939077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:40.857593060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:40.862596035 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:41.239602089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:41.251657009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:41.258239985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:41.631141901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:41.631762028 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:41.636698008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.012559891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.028599024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:42.033771992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.409756899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.410257101 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:42.415235996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.791204929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:42.801913023 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:42.806971073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:43.180634975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:43.181277037 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:43.217103004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:43.561656952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:43.615853071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:43.637593985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:43.668533087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.043843985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.044425964 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:44.049304008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.203213930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.203677893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:44.208596945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.425045013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.451838017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:44.456995010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.729732037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.735308886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:44.740292072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.852602005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:44.853269100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:44.862160921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.115168095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.116520882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.121442080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.334151983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.369601965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.396338940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.547012091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.548188925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.548278093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.551696062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.551708937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.551776886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.755908012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.757164001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.757236958 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.760229111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.763360977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.763437986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.971749067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.972767115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.972884893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.975317001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.977869987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.977945089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:45.980451107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.980464935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:45.980534077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.187221050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.188318014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.188369036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.190880060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.193464994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.193478107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.193489075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.193514109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.193552017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.198638916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.240881920 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.397380114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.398267031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.398319006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.400487900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.402719021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.402755976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.402767897 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.404937983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.404970884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.404993057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.459603071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.974900961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.975948095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.976032019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.978166103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.980439901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:46.980526924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:46.982659101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.022135019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:47.403644085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.405761003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.405838013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:47.410605907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.410619974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.410681963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:47.420336962 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.420351028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.420398951 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:47.429899931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.475246906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:47.588965893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.619559050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.619647026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:47.621049881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.624036074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.624094963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:47.627052069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.627064943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.627074003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.627110004 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:47.632985115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.632997990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.633043051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:47.832190037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.832864046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:47.833095074 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:47.837847948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:47.842746973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.212531090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.213521957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.213582039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.215846062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.218230009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.218266964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.218286991 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.222815990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.222877026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.225126028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.272120953 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.371948957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.412766933 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.428191900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.428947926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.429013968 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.430951118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.435847998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.435884953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.435905933 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.435920000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.435971975 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.440443039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.442450047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.442517042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.444247007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.490914106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.644445896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.645231962 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.645343065 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.647394896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.649530888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.649571896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.649591923 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.649605989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.649651051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.653734922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.655874968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.655936003 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.682837009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.687583923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.687702894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.859599113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.860450983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.860529900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.862092972 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.864128113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.864165068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.864196062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.864201069 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.864253044 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.867983103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.868019104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.868120909 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.871944904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.871980906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.872047901 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.872097015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.872148991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.872206926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:48.952004910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.959944963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:48.960041046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:49.078135014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.081298113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.081367970 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:49.088083029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.094556093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.094629049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:49.094681025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.094692945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.094733953 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:49.107964039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.107976913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.108045101 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:49.116071939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.116456985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:49.131361961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.134196043 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:49.142611980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.856240034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.862205982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:49.862345934 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.336746931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.340128899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.340224981 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.341150045 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.344306946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.344382048 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.549468040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.550981998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.551071882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.553442955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.555994987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.556014061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.556025982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.556066036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.556114912 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.561145067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.564136028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.564148903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.564213037 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.568859100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.568871021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.568941116 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.708709002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.756573915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.771861076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.773030996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.773092985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.775691986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.778287888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.778300047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.778381109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.783417940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.783493042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.786037922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.788230896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.788258076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.788327932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.979659081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.980220079 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.980267048 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.982489109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.984811068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.984823942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.984834909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.984873056 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.984915972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.989351034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.991624117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.991636992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.991688013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:50.996118069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.996130943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:50.996181965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.192348957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.193263054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.193304062 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.195389986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.197485924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.197499037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.197509050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.197542906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.197568893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.201680899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.203775883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.203819990 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.205451965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.205463886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.205523968 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.205768108 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.206197023 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.257579088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.257597923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.628081083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.629087925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.629157066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.631086111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.633112907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.633126974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.633162975 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.634346008 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.637126923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.637182951 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.639139891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.639153957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.639163017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.639187098 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.639214993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.643126965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.643201113 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.644742012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.644804955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.692929983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.843233109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.844248056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.844422102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.846184015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.848198891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.848218918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.848254919 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.850203037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.850219011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.850256920 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.853390932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.853405952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.853461027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.856583118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.856595039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.856623888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.859782934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.859797001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:51.859834909 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:51.912769079 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.058693886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.059334040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.059393883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.060762882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.062175989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.062187910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.062218904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.063596964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.063606977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.063642979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.066385984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.066431046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.067807913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.067821026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.067831039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.067873955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.070682049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.070693970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.070724010 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.073432922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.073443890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.073472977 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.115921974 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.274502039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.275057077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.275146008 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.276401043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.277825117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.277889013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.279247046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.279258013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.279321909 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.279628038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.279927969 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.328416109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.333134890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.703800917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.703890085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.703965902 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.705216885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.706669092 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.706715107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.708095074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.708118916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.708134890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.708163977 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.710959911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.711005926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.712354898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.712371111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.712435961 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.715204954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.715220928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.715265989 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.718089104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.718110085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.718151093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.720298052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.720316887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.720372915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.807890892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.813395977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.918488979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.919125080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.919178009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.920331955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.920344114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.920394897 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.921706915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.921717882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.921761990 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.924519062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.924530983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.924582958 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.926656008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.926667929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.926677942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.926726103 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.929434061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.929445982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.929477930 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.931060076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.931071043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.931080103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:52.931102037 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.931118965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:52.965262890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.006498098 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.011414051 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.053369999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.133925915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.134531021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.134594917 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.135600090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.135617018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.135708094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.136733055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.137852907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.137868881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.137877941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.137921095 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.137984037 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.140027046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.140043020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.140094995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.141149998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.141161919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.141223907 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.143381119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.143397093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.143456936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.143680096 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.201097965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.305015087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.305874109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.310774088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.735120058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.736181021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.736247063 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.737329006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.737349987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.737399101 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.738432884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.738445997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.738507032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.740623951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.740637064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.740691900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.741746902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.741759062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.741800070 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.743993044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.744004965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.744009972 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.744082928 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.746218920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.746229887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.746282101 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.747980118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.747992992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.748042107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.749766111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.749778986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.749833107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.751533031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.751562119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.751594067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.751637936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.786508083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.786519051 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.786748886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.787137985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.787853003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.787863970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.787930012 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.788583994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.788595915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.788604975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.788642883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.788664103 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.789978027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.790700912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.790713072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.790752888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.792155027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.792166948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.792177916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.792208910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.792237043 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.793557882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.793570042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.793631077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.794976950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.794989109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.795043945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.796389103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.796403885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.796427011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.796437025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:53.796456099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:53.796483040 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.001005888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.001312017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.001388073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.001995087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.002645969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.002656937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.002687931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.003019094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.005747080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.022787094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.052448034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.100941896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.421581030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.421812057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.421879053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.422410965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.423077106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.423105001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.423116922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.423127890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.423168898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.424398899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.425086021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.425097942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.425108910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.425136089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.425147057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.426414967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.426426888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.426481962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.427872896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.427884102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.427923918 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.429061890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.429074049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.429095030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.429128885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.430150032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.430162907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.430197954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.431190968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.431202888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.431242943 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.637051105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.637240887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.637312889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.637851000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.638431072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.638482094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.639025927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.639036894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.639085054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.640198946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.640821934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.640839100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.640875101 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.641989946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.642002106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.642011881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.642043114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.642061949 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.643179893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.643192053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.643239021 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.644345999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.644359112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.644401073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.645291090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.645303965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.645344019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.646228075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.646239996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.646251917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.646280050 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.646728039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.695570946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:54.695676088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:54.702568054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.075895071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.076215029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.076309919 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.076570034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.076584101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.076636076 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.077181101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.077702999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.077716112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.077766895 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.078777075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.078830957 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.079442978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.079454899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.079509020 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.079921961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.079935074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.079979897 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.080899954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.080912113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.080954075 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.081039906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.081053019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.081108093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.081530094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.081542015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.081577063 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.082385063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.082396030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.082406998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.082453966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.082957983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.083003044 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.083399057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.131561041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.524909019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.524935007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.525000095 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.525229931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.525243044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.525285959 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.525768995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.525782108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.525844097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.526824951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.526837111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.526848078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.526874065 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.527842999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.527856112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.527864933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.527880907 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.527905941 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.528887033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.528899908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.528959036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.529912949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.529927015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.529964924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.530930042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.530942917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.530952930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.530978918 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.532040119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.532053947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.532063007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.532085896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.532124043 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.532536983 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.533071041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.533117056 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.584995985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.958506107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.958549976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.958679914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.958990097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.959501982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.959520102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.959536076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.959563971 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.959611893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.960561991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.961035013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.961054087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.961095095 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.962004900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.962023973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.962057114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.962914944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.962981939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.963445902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.963470936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.963512897 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.964545012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.964565039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.964580059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.964629889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.965480089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.965497971 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.965527058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.966166973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.966183901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.966213942 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.966972113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.966991901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.967014074 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:55.967787027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.967807055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:55.967843056 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:56.022131920 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:56.174148083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.174536943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.174554110 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.174588919 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:56.175020933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.175038099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.175051928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.175065994 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:56.175084114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:56.176142931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.176321983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.176337957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.176372051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:56.177222967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.177239895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.177265882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:56.178600073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.178617001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.178632021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.178647041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:56.178673029 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:56.180140018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.180159092 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.180198908 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:56.727555037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:56.728049994 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:56.733001947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.110002995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.114835978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.114948988 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:57.368398905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.368434906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.368596077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:57.374006033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.374020100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.374083996 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:57.583925962 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.584029913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.584193945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:57.584589005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.585098028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.585109949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.585172892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:57.589009047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.589075089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:57.797480106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.798898935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.798969984 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:57.803412914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.806091070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.806103945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.806171894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:57.813417912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.813489914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:57.816097021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.816117048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.816128016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.816165924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:57.823421955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:57.823515892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.010696888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.011899948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.011970997 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.014626026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.017364025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.017376900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.017388105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.017416954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.017450094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.022830963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.025510073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.025525093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.025535107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.025563002 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.025583982 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.030949116 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.030963898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.031016111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.035293102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.035305977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.035420895 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.038954973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.085035086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.170236111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.225260019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.226145983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.227180958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.227231979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.229466915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.231832981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.231844902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.231899023 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.236428022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.236490011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.238769054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.238780975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.238825083 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.240628958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.241400003 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.250622034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.626476049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.627341032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.627407074 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.629503965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.629518032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.629563093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.631634951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.631649017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.631707907 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.635895967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.638103962 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.638138056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.638160944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.638166904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.638194084 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.642298937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.642313004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.642363071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.645700932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.645716906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.645761013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.649097919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.649111032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.649122000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.649154902 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.694098949 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.838815928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.839663982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.839759111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.841363907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.843167067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.843180895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.843192101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.843234062 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.843269110 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.846766949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.846780062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.846841097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.850403070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.850425005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.850470066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.853971004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.853991985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.854047060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.856805086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.856820107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.856829882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.856869936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.859637022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.859652042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.859805107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.886665106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.886710882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:58.891380072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:58.944149017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:59.293092012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:59.293773890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:59.293874025 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:59.295384884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:59.297010899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:59.297025919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:59.297036886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:59.297070980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:59.297106981 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:59.300213099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:59.301814079 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:59.301871061 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:37:59.303420067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:59.303431988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:59.303440094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:37:59.303505898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:00.714849949 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:00.719974995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.094048977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.094858885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.094949007 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.096493006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.096508026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.096584082 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.098138094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.098151922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.098212004 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.100708961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.100732088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.100824118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.103404045 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.103415966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.103478909 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.105834961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.105849028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.105907917 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.108400106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.108412027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.108422041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.108469963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.111028910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.111041069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.111095905 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.113501072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.113513947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.113557100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.162791014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.304236889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.304826975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.304899931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.306072950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.306087017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.306137085 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.307365894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.307379007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.307430983 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.309839964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.309854984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.309864044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.309905052 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.312238932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.312256098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.312298059 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.314682961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.314698935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.314738035 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.316639900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.316654921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.316684008 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.318640947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.318655968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.318700075 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.320550919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.320565939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.320574999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.320601940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.320636034 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.352055073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.356822968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.356930017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.519484043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.520051956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.520190954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.521259069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.521274090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.521378994 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.521821022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.573225021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.940929890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.941395044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.941485882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.942481041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.943589926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.943602085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.943613052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.943718910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.945758104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.946881056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.946893930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.946906090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.946930885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.946950912 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.949043036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.949058056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.949115038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.951232910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.951246023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.951293945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.953012943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.953027010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.953198910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.954735041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.954749107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.954760075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.954832077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.956512928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.956523895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.956615925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:01.958201885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:01.958297014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.129000902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.154001951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.154273987 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.154345036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.155337095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.155354977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.155441999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.156306982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.156323910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.156333923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.156421900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.158183098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.159184933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.159204960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.159216881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.159318924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.161088943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.161112070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.161199093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.163000107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.163018942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.163028955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.163098097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.164522886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.164545059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.164623976 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.166014910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.166033983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.166096926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.167553902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.167576075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.167589903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.167663097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.167740107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.168176889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.220861912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.595232964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.595489979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.595587015 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.596283913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.597115040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.597127914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.597184896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.597985029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.597996950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.598057985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.599637985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.599704027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.600464106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.600481033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.600492001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.600549936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.602133989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.602152109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.602163076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.602219105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.602262974 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.603779078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.603796959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.603908062 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.605115891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.605132103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.605204105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.606441021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.606456041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.606513977 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.607731104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.607744932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.607796907 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.609076977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.609090090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.609101057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.609143972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.662867069 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.804905891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.805320978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.805392981 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.805926085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.806683064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.806696892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.806706905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.806739092 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.806761980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.808146954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.808885098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.808898926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.808908939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.808948040 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.808989048 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.810359001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.810372114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.810417891 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.811821938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.811836004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.811897993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.813299894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.813313961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.813373089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.814480066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.814492941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.814502954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.814543009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.814934969 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.863569975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:02.863635063 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:02.873009920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.375803947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.376009941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.376112938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.376686096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.377428055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.377441883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.377453089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.377506018 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.377585888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.378750086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.379482985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.379496098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.379573107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.380820036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.380834103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.380913019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.382194042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.382209063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.382220030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.382272959 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.382340908 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.385590076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.385601997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.385673046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.386977911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.386991978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.387403965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.390347958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.390361071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.390407085 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.391735077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.391748905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.391803026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.395139933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.395163059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.395174026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.395203114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.396477938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.396492004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.396531105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.458554983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.458856106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.458933115 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.463368893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.463386059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.463442087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.464076996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.464088917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.464133978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.464157104 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.468203068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.468216896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.468291044 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.468875885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.468888044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.468921900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.472989082 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.473001957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.473012924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.473067999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.473683119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.473695040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.473762989 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.474244118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.483293056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.854337931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.854569912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.854624033 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.855231047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.856002092 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.856015921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.856026888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.856040955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.856065035 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.857275963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.857983112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.857995987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.858028889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.859338999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.859352112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.859383106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.860707998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.860754013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.861392975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.861407995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.861449957 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.862760067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.862772942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.862785101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.862817049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.863873005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.863887072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.863898039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.863915920 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.863933086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.864938021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.864952087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.865004063 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.866061926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.866074085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.866122007 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.867358923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.867372036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.867408991 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:03.868603945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.868617058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:03.868665934 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.069915056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.070126057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.070214987 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.070722103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.070734024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.070789099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.071351051 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.071995020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.072009087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.072021008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.072051048 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.072081089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.073214054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.073225975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.073277950 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.074404955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.074415922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.074471951 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.075032949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.075047970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.075069904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.075093985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.076236010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.076283932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.076836109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.076847076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.076889992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.077270985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.128494024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.503959894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.504133940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.504239082 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.508289099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.510921955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.510935068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.510946989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.511084080 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.511224985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.511239052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.511332035 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.511727095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.511740923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.511840105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.512851954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.512866020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.512936115 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.514195919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.514210939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.514223099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.514333010 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.515587091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.515600920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.515638113 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.517585993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.517648935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.517667055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.517718077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.517754078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.517776966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.517791986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.518515110 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.518553019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.518575907 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.518585920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.518650055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.519575119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.519612074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.519665003 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.520420074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.520457029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.520514965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.521457911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.521493912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.521671057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.575376987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.575509071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.717089891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.717530012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.717622042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.718012094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.718655109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.718732119 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.719155073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.719168901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.719177961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.719264030 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.720312119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.720387936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.721093893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.721106052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.721194983 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.722306013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.722320080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.722392082 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.725310087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:04.726322889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:04.738344908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.111565113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.111603022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.111731052 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.112179041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.112214088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.112253904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.113406897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.113445044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.113492966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.114624023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.114660025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.114702940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.115878105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.115911961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.115945101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.116008043 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.117104053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.117137909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.117175102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.118359089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.118392944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.118416071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.119590998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.119627953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.119647026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.120575905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.120609999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.120623112 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.120641947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.120688915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.121557951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.121594906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.121670961 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.122544050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.122576952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.122616053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.123539925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.123577118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.123615026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.124543905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.124577999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.124618053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.125473022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.125505924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.125555992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.172358990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.172409058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.315728903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.316613913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.316704988 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.318013906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.318030119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.318069935 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.324131966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.324148893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.324161053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.324174881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.324186087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.324198961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.324229956 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.324261904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.327277899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.327742100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.336915970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.711464882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.714407921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.714502096 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.718432903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.723433971 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.723448038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.723509073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.727849007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.727863073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.727912903 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.737466097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.737531900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.741123915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.741137028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.741197109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.748717070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.748733997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.748809099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.756298065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.756314039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.756325960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.756397009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.763462067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.763478994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.763545990 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.769733906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.769748926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.769819975 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.776047945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.776062965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.776148081 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.782344103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.782357931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.782430887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.788402081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.788417101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.788429022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.788461924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.788516045 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.794142008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.794164896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.794245958 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.799455881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.799475908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.799527884 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.804501057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.804516077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.804574013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.926359892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.927654028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.927773952 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.930461884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.933347940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.933444977 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.936240911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.936256886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.936268091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.936306000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.942070007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.942133904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.944401026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.944422960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:05.944470882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:05.944813967 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.194013119 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.199462891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.199476957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.199549913 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.204387903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.570904016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.571779966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.571871996 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.574198008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.576581955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.576666117 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.579034090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.579046965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.579098940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.583863020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.583878040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.583889008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.583960056 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.587688923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.587702036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.587759018 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.591543913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.591557026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.591604948 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.595108986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.595122099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.595181942 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.598634005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.598647118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.598656893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.598695993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.598716021 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.601850986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.601865053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.601912022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.605112076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.605125904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.605171919 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.608294010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.608308077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.608365059 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.611514091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.611526966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.611581087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.614712954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.614726067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.614736080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.614773035 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.617734909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.617748022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.617815971 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.620547056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.620558977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.620569944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.620618105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.620631933 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.786333084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.788136005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.788263083 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.788908958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.790466070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.790532112 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.792491913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.792507887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.792553902 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.793555975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.834638119 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.945911884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:06.946403980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:06.951318979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.319179058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.321052074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.321119070 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.321695089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.323952913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.324009895 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.325921059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.326602936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.326648951 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.328702927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.329591990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.329636097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.333287001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.333904982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.333954096 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.335109949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.337011099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.337172031 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.339895964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.340365887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.340419054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.342864990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.343523979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.343588114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.345212936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.345748901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.345814943 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.348757982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.349358082 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.349419117 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.350940943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.353801966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.353853941 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.354614019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.355556011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.355612993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.356703997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.357559919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.357608080 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.361125946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.361661911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.361709118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.362847090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.364605904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.364653111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.367640018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.368138075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.368185997 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.371011972 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.371582985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.371637106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.372750044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.428376913 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.533984900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.534724951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.534898043 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.537641048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.537656069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.537759066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.538304090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.539587975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.539645910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.585123062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.585211039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.585264921 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.585609913 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.593324900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.967861891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.969250917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.969325066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.971508980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.974066019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.974140882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.976598024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.979140043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.979209900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.979356050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.981462002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.981497049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.981525898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.985492945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.985527992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.985579014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.989574909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.989610910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.989653111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.993649006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.993685007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.993716955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.993726015 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.993762016 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.996860981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.998255014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.998326063 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:07.999631882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.999666929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:07.999718904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.002223015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.003571033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.003607035 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.003638029 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.006347895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.006385088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.006419897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.006418943 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.006484032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.008831024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.010159016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.010221004 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.011502028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.012732983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.012794971 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.014003038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.014039040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.014094114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.015562057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.016706944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.016763926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.017810106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.018950939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.019005060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.161072969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.209642887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.395582914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.395976067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.396054029 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.397077084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.398205042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.398216963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.398291111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.400295973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.400310040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.400392056 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.400818110 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.645289898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.645544052 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.647109985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:08.650430918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:08.655225039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.229963064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.230704069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.230782986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.231137991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.233428001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.233442068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.233498096 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.234822035 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.234886885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.236463070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.239586115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.239659071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.239809036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.240768909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.240874052 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.242499113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.245393038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.245461941 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.245596886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.247500896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.247558117 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.248310089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.250655890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.250721931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.251271963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.252641916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.252700090 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.253043890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.255425930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.255487919 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.257596016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.303411961 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.445043087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.445841074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.445911884 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.448859930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.448885918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.448978901 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.449383974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.450486898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.450551987 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.451791048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.454746008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.454807043 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.455190897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.456542015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.456619978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.457735062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.460154057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.460203886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.460520029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.461430073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.461476088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.462470055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.464843988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.464925051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.465257883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.466203928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.466260910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.467237949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.471043110 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.471065044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.471112013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.522267103 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.689017057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:09.689645052 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:09.694679976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.073483944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.074852943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.074939013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.075413942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.077764034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.077826023 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.078309059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.079437017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.079499960 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.080558062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.083507061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.083568096 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.083965063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.084836006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.084939003 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.086401939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.088799953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.088870049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.089188099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.091129065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.091197968 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.091597080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.092437983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.092500925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.097210884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.147155046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.275177956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.276546955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.276609898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.277103901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.278819084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.278839111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.278870106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.279360056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.279416084 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.281160116 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.281754017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.281805038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.284676075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.285089970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.285167933 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.286679029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.287583113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.287635088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.290534019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.290970087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.291055918 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.291836977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.292870998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.292921066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.295206070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.295640945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.295737982 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.296591043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.301409960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.301498890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.477338076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.478601933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.478729010 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.479161024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.481374979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.481467009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.481905937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.483021021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.483104944 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.483397007 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.519694090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.519815922 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.524640083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.898231983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.899547100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.899610043 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.900139093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.902286053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.902332067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.902851105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.903973103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.904028893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.905016899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.907701015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.907743931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.908180952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.909049034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.909100056 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.910440922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.913141966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.913206100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.913614988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.915183067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.915225983 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.915858030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.918026924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.918083906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.918463945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.919934034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.919986963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:10.924660921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:10.975253105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.104233980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.105006933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.105074883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.107747078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.107783079 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.107836008 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.108338118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.109417915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.109468937 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.110451937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.113217115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.113270998 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.113684893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.115226030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.115277052 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.115892887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.118046999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.118102074 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.118496895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.119966030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.120021105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.120240927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.122384071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.122438908 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.122838020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.124550104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.124598026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.124994993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.125875950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.125925064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.263560057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.318995953 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.428996086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.429306030 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.434281111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.709104061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.709619999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.709727049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.714632034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.719469070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.808298111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.808557987 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.808609962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.808636904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.808686972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.808872938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.809293032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.809319973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.809376955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.809843063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.809895039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.811342001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.811875105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.811939955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.813155890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.813232899 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.814032078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.814094067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.816598892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.816654921 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.817003965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.817055941 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.818794966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.818862915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.819220066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.819252014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.819320917 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.821343899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.821444035 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.821711063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.821762085 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.823461056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.823494911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.823518038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.823523998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.823816061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.823872089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.824644089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.825503111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.825562954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.827629089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.828011990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.828067064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.829389095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.829691887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.829756021 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:11.834160089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:11.881515026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.023602009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.024086952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.024208069 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.025788069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.027410030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.027456999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.027484894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.029072046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.029125929 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.029378891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.033293962 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.033359051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.033631086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.034393072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.034447908 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.035183907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.035965919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.036014080 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.036504984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.039022923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.039079905 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.039381981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.040683031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.040736914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.041487932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.043960094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.044008017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.045398951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.045418978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.045489073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.045717955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.045800924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.045881033 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.096604109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.096697092 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.101547956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.301914930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.349596977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.359181881 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.364803076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.431699038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.432076931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.432131052 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.432143927 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.437967062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.443593025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.467412949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.467434883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.468401909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.468508005 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.468902111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.470352888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.470416069 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.470858097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.472155094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.472217083 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.472789049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.475313902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.475363016 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.475701094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.476984024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.477056026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.477746010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.480247021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.480340958 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.480626106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.481772900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.481842041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.482217073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.484206915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.484287024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.484570980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.486177921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.486246109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.486509085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.487329960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.487390041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.488152027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.490164995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.490236998 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.490529060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.492078066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.492149115 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.496869087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.537784100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.683897018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.683921099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.684050083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.684058905 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.685611963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.685636044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.685668945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.690677881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.690697908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.690715075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.690748930 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.690782070 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.692703009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.694847107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.694904089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.695327997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.697050095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.697105885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.697503090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.698121071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.698180914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.699223042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.701646090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.701709032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.706840038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.707335949 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.761965990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.762094021 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.799593925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.897150993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.897507906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.897548914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.897548914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:12.902642012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.907526970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:12.957000017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:13.443835020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:13.448642969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:13.448771000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:13.657111883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:13.659853935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:13.659986019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:13.665199041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:13.709721088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.071228027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.073214054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.073332071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.077730894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.084192991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.084229946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.084280014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.092226028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.092293024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.092304945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.092350006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.097467899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.097505093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.097655058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.101464033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.101502895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.101572037 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.109462976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.109498978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.109545946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.112241030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.112276077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.112308979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.112323046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.162765980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.299794912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.300317049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.300415993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.302519083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.306124926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.306160927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.306180954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.307462931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.307512045 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.309806108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.309844017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.309962034 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.313122988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.315717936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.315752983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.315835953 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.318991899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.319027901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.319039106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.324189901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.324225903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.324273109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.326097965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.326133966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.326160908 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.326167107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.326235056 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.516238928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.516268015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.516376972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.517433882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.519736052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.519800901 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.519815922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.520538092 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.520591974 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.522290945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.522672892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.532866001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.910428047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.910451889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.910628080 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.911223888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.913558960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.913625002 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.914511919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.914525986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.914575100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.916163921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.917942047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.918006897 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.920717955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.923428059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.923439980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.923455000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.923528910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.925633907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.925648928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.925720930 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.929431915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.929445982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.929522038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.932185888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.932199955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.932395935 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:14.984020948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:14.984258890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.335908890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.337069035 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.337167025 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.337441921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.340012074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.340117931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.340723991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.341078043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.341196060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.344861984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.344897985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.344953060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.346184015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.347246885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.347307920 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.350930929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.350971937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.352163076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.352922916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.354435921 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.356432915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.357017040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.357031107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.357059002 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.361217022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.361232042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.361320972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.362387896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.362404108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.362457991 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.366174936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.366219044 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.367223978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.412770987 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.417104006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.417282104 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.553292990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.553776979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.558883905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.931067944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.932281017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.932354927 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.932563066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.934024096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.934076071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.935030937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.936181068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.936235905 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.939143896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.939268112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.939313889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:15.941003084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.983829975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:15.983917952 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.147097111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.147140026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.147382021 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.147917032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.150705099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.150717020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.150763035 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.151971102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.152021885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.153331995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.158188105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.158245087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.200284958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.201420069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.201487064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.208156109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.256489992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.361155033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.362891912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.362947941 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.366853952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.371228933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.371319056 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.374799967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.374838114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.374898911 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.379653931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.382314920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.382376909 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.409142971 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.410367966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.410444975 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.412442923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.414984941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.415088892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.566409111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.568145990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.568353891 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.569412947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.572151899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.572195053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.573414087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.573429108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.573479891 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.576168060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.580148935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.580219984 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.616981030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.618308067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.618367910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.618376017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.622092962 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.622132063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.622162104 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.622442007 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.672642946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:16.672841072 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:16.684184074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.050048113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.059216976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.059336901 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.064047098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.099790096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.099854946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.104489088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.124186039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.124248981 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.124876022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.129030943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.129101992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.135885954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.140723944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.140786886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.147556067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.159437895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.159496069 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.164174080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.209649086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.265271902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.273487091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.273719072 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.274673939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.278297901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.278361082 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.283819914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.288691998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.288737059 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.299220085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.304178953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.304378033 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.313424110 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.318242073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.318428040 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.321429014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.323440075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.323497057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.328202963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.329355001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.329418898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.379970074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.380192041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.468036890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.472702980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.472810984 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.474009991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.476533890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.476598978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.482420921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.484175920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.484230995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.491760015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.493686914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.493747950 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.503462076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.508209944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.508284092 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.509299994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.512995958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.513062954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.517496109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.520162106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.520237923 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:17.520716906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.530667067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:17.530744076 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:18.520131111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:18.525140047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.200608969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.205595016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.205698967 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:19.678350925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.682195902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.682276011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:19.685374975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.690247059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.690306902 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:19.727632046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.727754116 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:19.891972065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.894104004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.894171000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:19.897703886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.897720098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.897762060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:19.898672104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.903455973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.903512955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:19.906415939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.908211946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.908413887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:19.914215088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:19.959608078 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:20.399797916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:20.405960083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:20.406039000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:20.826493979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:20.828429937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:20.828514099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:20.829236984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:20.831229925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:20.831285000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:20.835372925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:20.836009979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:20.836072922 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:20.884955883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:20.885025024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.041172028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.043164968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.043243885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.045928955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.045941114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.045984030 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.047247887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.050734997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.050787926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.055520058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.100238085 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.249119997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.251004934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.251113892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.253871918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.253889084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.253956079 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.257625103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.264116049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.264206886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.270768881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.318989992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.464072943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.467339039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.467406988 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.471052885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.475873947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.475929976 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.480693102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.480706930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.480719090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.480756044 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.510262966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.510377884 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.514993906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.568989038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.680335045 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.683409929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.683469057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.685226917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.688231945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.688247919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:21.688301086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.688621998 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:21.701589108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.077503920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.079055071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.079133034 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.082242012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.082267046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.082333088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.082951069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.088185072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.088284969 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.089426994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.093164921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.093233109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.095838070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.097909927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.097981930 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.236788034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.281377077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.281467915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.284156084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.286113977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.286127090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.286155939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.289726019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.289772987 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.291361094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.296416044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.296463013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.301228046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.302894115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.302941084 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.307090044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.327275991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.327414036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.332694054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.381578922 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.494124889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.496071100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.496201992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.500922918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.500936985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.501055002 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.502279997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.505976915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.506047964 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.509419918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.511980057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.512029886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.513307095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.519850016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.519925117 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.541992903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.545166016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.545258045 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.549941063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.600295067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.713388920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.715684891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.715784073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.716649055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.718576908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.718640089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.722357988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.725204945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.725267887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.728070021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.730520964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.730585098 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.733429909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.768506050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.768584013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.770733118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.773845911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.773901939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.871896029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:22.872401953 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:22.877434015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.255465984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.257216930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.257342100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.259763956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.262742996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.262895107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.263395071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.267468929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.267573118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.269578934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.274338961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.274418116 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.275810003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.279282093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.279380083 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.280710936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.284050941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.284116983 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.285665989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.288824081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.288873911 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.336226940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.336293936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.446686029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.471210957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.471302032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.473902941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.474989891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.475049973 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.477063894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.479159117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.479231119 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.480469942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.483941078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.484016895 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.485980988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.488750935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.488831997 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.491588116 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.493518114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.493599892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.496001959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.498286963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.498358965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.503134966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.553456068 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.897339106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.899775028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.899888992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.900589943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.902337074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.902414083 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.903532982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.907071114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.907147884 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.908312082 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.912668943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.912772894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.913157940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.918008089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.918081045 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.918667078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.920027018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.920080900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.921839952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.925087929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.925154924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:23.971582890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:23.971645117 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.063841105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.064228058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.116411924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.492031097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.493381023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.493453979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.496810913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.496824980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.496874094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.498204947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.503001928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.503067970 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.508109093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.553524971 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.707770109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.709892988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.709966898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.714720964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.719511986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.719536066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.719548941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.719574928 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.719604969 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.770881891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.817009926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.817075968 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.923335075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.924804926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.924859047 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.928065062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.928095102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.928134918 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.929984093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.934360027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.934416056 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:24.935574055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:24.979231119 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.028063059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.032747984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.032803059 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.141148090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.141902924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.141983032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.143136024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.145761967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.145842075 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.147625923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.149859905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.149939060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.155891895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.183007002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.183110952 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.187993050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.240896940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.290855885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.290878057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.290941954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.351217985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.353426933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.354331970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.355000019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.356142998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.356157064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.356219053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.357136011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.357199907 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.361972094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.366729975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.366832972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.399235964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.401428938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.401602030 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.406172991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.459656954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.543240070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.547441006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.547518015 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.566745043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.569003105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.569051981 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.571513891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.571609020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.571665049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.573040009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.581257105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.956402063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.957827091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.957876921 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.958992958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.961122990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.961172104 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.962677956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.965873003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.965936899 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.967508078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.970617056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.970678091 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.972419977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.975351095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.975519896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:25.977152109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.980149031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:25.980192900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.162395000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.164659023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.164731026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.165448904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.168390989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.168453932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.169075966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.170284033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.170345068 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.173820019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.176016092 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.176083088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.179122925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.183742046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.183818102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.184178114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.184212923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.184262037 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.204380989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.209593058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.209656954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.379107952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.379144907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.379318953 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.381426096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.381851912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.381908894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.386120081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.386135101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.386286020 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.391098976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.391115904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.391163111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.392527103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.395987988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.396002054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.396044970 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.401391029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.401456118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.417799950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.420156002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.420238972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.464809895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.469445944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.469526052 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.590672970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.592073917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.592123985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.593277931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.594500065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.594538927 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.597254992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.597671986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.607027054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.979226112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.979269981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.979372978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.980154037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.980798960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.980859041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.984880924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.986140013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.986218929 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.989990950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.990423918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.990482092 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.994462967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.995054007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.995116949 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:26.998934031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.999666929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:26.999726057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.002854109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.002887964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.002939939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.006984949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.053411961 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.138223886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.193557978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.193619013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.195770025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.200917959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.201023102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.206408024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.211004019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.211034060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.211045980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.211065054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.211091042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.217032909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.220252991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.220269918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.220333099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.226802111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.226821899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.226914883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.232462883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.232479095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.232510090 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.238122940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.238142967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.238168955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.292036057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.381032944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.428425074 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.632956028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.634207010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.634399891 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.637203932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.640254974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.640269995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.640280962 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.640325069 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.640381098 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.646307945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.649348974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.649401903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.649426937 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.655291080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.655306101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.655364990 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.655761957 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.660146952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:27.660226107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:27.713836908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.081934929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.083831072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.083904982 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.085417986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.087831974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.087996960 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.090248108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.090354919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.090394974 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.092912912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.094485044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.094537973 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.096353054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.098712921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.098764896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.103497028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.147279024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.323029995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.323566914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.323654890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.325428009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.325464010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.325540066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.328676939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.330224991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.330303907 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.333756924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.333791018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.333856106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.339327097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.339361906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.339464903 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.340548038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.340580940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.340624094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.343430996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.343442917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.343498945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.346069098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.346081972 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.346148968 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.348324060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.348335981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.348346949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.348387003 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.351142883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.351999998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.352011919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.354207039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.354218960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.355222940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.357000113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.357012033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.357070923 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.361979008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.412951946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.508508921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.513448000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.513509035 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.521435976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.521451950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.521512032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.522039890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.532322884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.906399012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.908447027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.908531904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.909198046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.911442041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.911505938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.912410975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.916629076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.916645050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.916692019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.920753956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.920829058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.921670914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.922115088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.922166109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.925201893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.926992893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.927050114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.928141117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.931549072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.931612015 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.932039022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.933062077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.933115959 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.934830904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.937835932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.937896013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:28.938545942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.942620993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.942645073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:28.942687988 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.121336937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.122345924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.122411966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.122926950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.126234055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.126254082 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.126307964 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.130451918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.130511999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.130760908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.131858110 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.131912947 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.134327888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.136648893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.136713028 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.138042927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.141204119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.141251087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.141941071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.142640114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.142687082 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.144289017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.147489071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.147593021 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.148135900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.149172068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.149219036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.150535107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.153947115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.154006958 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.158746004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.159075022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.212646961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.587080956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.589221954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.589272976 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.594110012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.598967075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.599001884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.599025011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.603883982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.603944063 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.606297016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.606312990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.606352091 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.612541914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.614872932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.614888906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.614940882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.620569944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.620593071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.620630980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.626287937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.626310110 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.626322031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.626372099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.626393080 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.631871939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.631892920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.631985903 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.636708975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.636729956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.636791945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.641423941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.641447067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.641499043 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.646826029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.646850109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.646908045 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.801970959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.803453922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.803513050 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.805144072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.807595968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.807678938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.809292078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.811973095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.811992884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.812046051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.813869953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.813922882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.816073895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.818254948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.818275928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.818320036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.819885015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.819961071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.828336000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.831110001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.831129074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.831183910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.833709955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.833726883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.833767891 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.836132050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:29.836186886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.836802959 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:29.878289938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.249877930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.249901056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.250031948 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.250494957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.253550053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.253735065 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.254098892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.255228043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.255280972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.257149935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.259960890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.260023117 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.260765076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.264399052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.264533043 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.264802933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.265731096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.265794039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.267281055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.270186901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.270245075 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.270617008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.271548033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.271603107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.273040056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.278693914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.278753996 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.278942108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.279890060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.279934883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.280780077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.281742096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.281790018 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.282608032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.283530951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.283585072 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.288321018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.334830999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.464600086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.465444088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.465503931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.468374014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.468389034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.468446016 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.468749046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.469510078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.469558001 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.471330881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.474222898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.474277973 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.474543095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.476066113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.476119995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.477247000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.477905989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.477951050 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.480678082 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.481267929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.481314898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.482974052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.486048937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.486103058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.490904093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.491312027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.545115948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.917305946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.918215036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.918334961 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.918509960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.921098948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.921113014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.921164036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.922960997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.923110008 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.923357010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.926271915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.926326036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.926552057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.927757025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.927812099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.929208994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.931529999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.931607962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.932038069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.932511091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.932559967 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.933959007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.936218023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.936274052 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.936485052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.938561916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.938620090 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.938831091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.939376116 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.939424038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.940871000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.943274975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.943334103 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.943538904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.944107056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.944156885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.945611000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.947886944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.947952032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.948848963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.948860884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.948918104 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:30.987296104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:30.987421036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.132841110 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.135282040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.135490894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.140029907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.144824028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.144838095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.144911051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.149622917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.149636984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.149693966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.154805899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.154850960 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.158665895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.158679008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.158724070 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.166359901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.166373968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.166433096 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.173974991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.173988104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.174061060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.179421902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.179785013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.189022064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.697910070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.701821089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.701837063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.701847076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.701905966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.701906919 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.705446959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.705467939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.705519915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.709037066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.709053040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.709119081 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.712713957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.712755919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.712768078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.712848902 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.716280937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.716298103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.716337919 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.719872952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.719893932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.719923019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.723526001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.723546028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.723592997 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.727123976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.727143049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.727154016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.727174997 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.727205992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.730150938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.730170965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.730221987 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.733174086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.733191967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.733253002 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.736119986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.736135006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.736272097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.739026070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.749989033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.750082970 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.772448063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.773694992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.773765087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.774136066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.775444984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.775463104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.775494099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.775549889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.775593996 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.778161049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.778578997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.778625965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.780205965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.780558109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.780611038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.783061028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.783516884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.783565044 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.784964085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.785509109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.785559893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.789721966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:31.790097952 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:31.813757896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.179801941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.180877924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.180995941 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.181457996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.182737112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.182800055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.183746099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.184837103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.184900045 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.185112000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.187504053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.187582016 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.187958956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.189591885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.189646959 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.189904928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.192342043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.192404032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.192758083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.194226980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.194295883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.194650888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.195470095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.195535898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.196130037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.198055029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.198112965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.198472977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.200195074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.200251102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.200464010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.202842951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.202903986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.203233957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.204941034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.204993963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.205255032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.207668066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.207727909 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.208056927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.209683895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.209724903 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.210012913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.214452982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.214515924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.259510994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.259565115 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.395227909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.395819902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.395875931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.398063898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.398088932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.398127079 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.398562908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.400116920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.400170088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.401678085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.402041912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.402076006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.403275013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.403681040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.403716087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.406435966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.406450987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.406490088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.406807899 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.443655968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.443736076 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.448649883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.824208021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.825248003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.825340986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.825745106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.827578068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.827639103 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.828054905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.829003096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.829066038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.829672098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.831892014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.831943989 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.832273960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.833781958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.833832026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.834127903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.836313009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.836368084 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.836673021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.838105917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.838167906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.838466883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.839245081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.839288950 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.839840889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.841609001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.841660976 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.841981888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.843476057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.843527079 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.843786955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.844532013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.844573975 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.845140934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.846919060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.846965075 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.847271919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.849164009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.849215031 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.849531889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.850258112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.850297928 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.851345062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.853547096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.853604078 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:32.855007887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:32.897260904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.039427996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.040215015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.040307999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.040673018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.042197943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.042258024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.042642117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.044034004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.044085026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.044178963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.046031952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.046087027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.048825979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.048851013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.048911095 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.049428940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.096380949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.096468925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.101363897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.485189915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.485207081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.485306978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.490550995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.490566969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.490669012 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.495882034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.495899916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.495989084 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.500416040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.500437975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.500515938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.504772902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.504787922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.504798889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.504843950 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.509157896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.509171009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.509217024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.513506889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.513519049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.513566971 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.517880917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.517894983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.517941952 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.521965981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.521977901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.522140026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.525842905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.525855064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.525863886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.525914907 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.525943995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.529613018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.529628992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.529678106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.533188105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.533200026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.533246994 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.536746979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.536760092 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.536818027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.540194988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.540208101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.540256977 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.543569088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.543581009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.543591022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.543637037 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.685527086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.686384916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.686444998 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.687995911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.689765930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.689851999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.691504955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.691524982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.691582918 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.693305016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.695112944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.695130110 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:33.695174932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.695549011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:33.701900959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.077929020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.077944040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.078005075 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.079001904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.080130100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.080174923 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.081191063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.082274914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.082294941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.082331896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.083367109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.083414078 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.084295988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.085664988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.085716963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.086483002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.087620020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.087665081 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.088677883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.089764118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.089811087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.090095043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.091499090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.091547966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.091883898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.093435049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.093521118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.093841076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.094650030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.094712019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.095369101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.097290993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.097336054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.097683907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.099226952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.099271059 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.099663973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.100430012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.100478888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.100811958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.102360010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.102404118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.102674961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.103885889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.103944063 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.104223967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.105166912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.105209112 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.105422974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.109919071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.109975100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.143508911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.143666029 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.291341066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.291600943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.291655064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.292269945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.293528080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.293544054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.293584108 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.295376062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.295464993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.295655012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.296346903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.296422005 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.296832085 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.331645966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.331713915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.337173939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.712915897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.713176012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.713404894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.713612080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.715037107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.715054989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.715111971 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.717005968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.717088938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.717325926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.718049049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.718118906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.719027996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.720669031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.720762968 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.721029043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.722508907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.722585917 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.722893953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.723874092 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.723943949 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.724483013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.726273060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.726337910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.726547956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.728133917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.728202105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.728399992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.728934050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.728990078 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.729980946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.731862068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.731925964 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.732156038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.733712912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.733781099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.733908892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.735585928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.735645056 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.735877037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.737452984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.737508059 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.737735987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.738472939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.738528013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.739332914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.740854025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.740904093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.741147995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.742317915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.742382050 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.742592096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.743182898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.743228912 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.747914076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.803528070 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.928528070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.929440022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.929578066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.929707050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.932630062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.932648897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:34.932715893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.933106899 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:34.942617893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.318610907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.319484949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.319591999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.320322037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.321563959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.321640968 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.322766066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.323986053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.324045897 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.325196981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.326411963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.326484919 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.326739073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.327699900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.327774048 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.328701973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.329643011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.329704046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.330643892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.331592083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.331651926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.332566023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.333530903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.333586931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.333686113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.334599018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.334609032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.334651947 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.336245060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.336304903 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.337038040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.337882042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.337897062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.337943077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.339561939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.339621067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.340267897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.340285063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.340332985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.341021061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.341660023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.341710091 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.342300892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.342936039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.342978954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.343563080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.345081091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.345123053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.345503092 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.346832991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.346873045 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.347165108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.349281073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.349327087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.349843979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.397162914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.533087969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.533801079 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.533862114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.537784100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.537796974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.537843943 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.538201094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.543906927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.919984102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.920598984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.920681953 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.921123028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.922456026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.922516108 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.922780991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.923489094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.923543930 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.924626112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.924650908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.924710989 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.924917936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.926422119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.926513910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.928073883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.928216934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.928265095 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.930278063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.930454969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.930506945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.930978060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.931787968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.931839943 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.932791948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.933119059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.933165073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.934520960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.934611082 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.934658051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.935913086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.936207056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.936254978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.936784029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.937599897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.937649012 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.941535950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.941551924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.941611052 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:35.988250017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:35.988420963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:36.477900028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:36.483452082 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:36.483622074 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:36.691296101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:36.691312075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:36.691375017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:36.696455002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:36.740859032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:36.905472040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:36.908413887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:36.908584118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:36.911566973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:36.911582947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:36.911624908 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:36.917433023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:36.959753036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.174669981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.174685001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.174804926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.179996014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.180013895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.180083990 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.181006908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.181025982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.181081057 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.184422016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.184441090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.184499025 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.280774117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.281117916 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.299029112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.662976980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.662993908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.663216114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.665430069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.665446043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.665618896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.668838978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.668853045 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.668989897 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.672156096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.673434973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.673453093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.673542023 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.677433968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.677457094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.677539110 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.681432009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.681452036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.681462049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.681538105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.684217930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.684237003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.684247017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.684391022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.876481056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.877217054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.877275944 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.879875898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.880645990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.880698919 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.882360935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.884134054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.884198904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.885915041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.885929108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.885938883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.885976076 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.888572931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.888633013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.889760017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.889776945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.889822006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.893440008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.893457890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.893513918 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.895236015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.895253897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.895323992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.897969961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.899100065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.899118900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.899130106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.899161100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.899178028 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.901364088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.901381969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.901423931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:37.916165113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.922841072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:37.922898054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.085760117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.090528011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.090598106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.093472958 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.142221928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.142237902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.142282963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.516710997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.517863989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.517940044 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.520493984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.523127079 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.523142099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.523195028 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.525772095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.525784969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.525845051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.531061888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.531089067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.531155109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.535263062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.535280943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.535293102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.535334110 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.535343885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.539428949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.539447069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.539504051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.543186903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.543203115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.543246031 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.546972036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.546988964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.547029018 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.550528049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.550544977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.550554991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.550580978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.554014921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.554029942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.554076910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.557507038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.557524920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.557545900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.600212097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.730370998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.731270075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.731395006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.733153105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.734880924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.734946012 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.736706972 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.736732960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.736790895 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.738529921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.738543034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.738595009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.742158890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.742176056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.742229939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.745033026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.745049953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.745059013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.745099068 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.747754097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.747769117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.747818947 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.750627995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.750684977 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.752068043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.752093077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:38.752132893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.752537966 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:38.780462027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.156474113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.157572985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.157632113 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.158787966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.159883022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.159895897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.159905910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.159926891 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.159951925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.162058115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.162076950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.162132978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.163184881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.164180994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.164195061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.164233923 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.165962934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.166006088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.167006969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.167023897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.167072058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.169156075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.169173956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.169219971 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.171103001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.171120882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.171205997 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.173449039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.174020052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.174032927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.174042940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.174081087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.174102068 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.175570011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.175589085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.175631046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.177432060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.177450895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.177500010 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.225644112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.225689888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.331176043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.367302895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.367403984 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.369102955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.369141102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.369193077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.370721102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.370755911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.370811939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.371135950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.372051001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.372129917 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.373594046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.376168966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.376238108 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.376710892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.378813028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.378849030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.378879070 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.381522894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.381583929 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.381943941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.383595943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.383656025 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.384218931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.388360023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.388434887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.388936043 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.398503065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.771934986 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.773418903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.773477077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.775523901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.776189089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.776237965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.776252031 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.777102947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.777156115 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.778687000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.781321049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.781383038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.781629086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.782212973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.782263041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.784178019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.786484003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.786520958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.786556005 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.788613081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.788650036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.788682938 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.789702892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.789768934 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.792159081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.792315960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.792372942 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.793500900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.794811010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.794852018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.794871092 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.797281981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.797321081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.797339916 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.799458981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.799541950 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.799999952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.800039053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.800086021 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.805459976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.850246906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:39.934386015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:39.975318909 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.202370882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.203712940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.203793049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.204154015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.205821991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.205881119 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.206218004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.206928015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.206980944 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.208178997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.210575104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.210632086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.210731983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.213037968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.213052988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.213094950 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.217458963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.217546940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.225441933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.225893974 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.262177944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.633687973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.635098934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.635226011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.637443066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.637463093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.637522936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.640192032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.643443108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.643516064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.644184113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.645678997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.645703077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.645746946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.649638891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.649662971 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.649715900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.654230118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.654249907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.654301882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.697458982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.697619915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.848947048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.849977016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.850059986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.851645947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.853626966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.853641987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.853704929 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.855235100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.855298042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.857029915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.857198000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.857244968 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.858668089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.858681917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.858727932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.861591101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.861607075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.861686945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:40.865000963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.865019083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:40.865078926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.061707973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.062741995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.062798977 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.063349962 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.065000057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.065049887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.065277100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.067349911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.067446947 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.067707062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.069564104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.069617033 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.070019960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.070981979 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.071033001 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.071784973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.074227095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.074284077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.075752974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.119616985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.315191031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.317404032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.317445040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.317471981 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.317498922 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.319402933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.320410013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.320446014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.320467949 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.320508003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.320540905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.320549965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.320578098 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.320826054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.322392941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.322455883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.323390961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.323432922 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.324188948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.324240923 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.373056889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.373084068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.373151064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.704447985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.706103086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.706201077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.706557035 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.710915089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.710998058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.711815119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.715712070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.715795994 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.717498064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.722291946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.722354889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.723150969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.727227926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.727288008 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.727890015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.732029915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.732112885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.732650042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.736819029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.736876965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.771636009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.776581049 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.776680946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.914825916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.917381048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.917468071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.918308020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.922840118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.922914982 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.926188946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.926872969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.926939011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.928613901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.931533098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.931598902 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.936939001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.937618017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.937710047 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.939117908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.945442915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.945458889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.945468903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.945542097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:41.945950985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.950737000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:41.950829983 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.132293940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.133985043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.134068012 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.134969950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.138370037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.138387918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.138473034 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.139388084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.139455080 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.141025066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.143754959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.143815041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.147672892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.147855997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.147912979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.152448893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.154414892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.154476881 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.154911041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.205722094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.205830097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.211220980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.575334072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.576582909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.576662064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.580208063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.580239058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.580324888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.582746983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.586158991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.586256027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.588074923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.589016914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.589087009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.591578960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.593818903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.593899012 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.595449924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.598685026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.598756075 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.599333048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.603015900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.603106976 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.603951931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.605892897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.605969906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.607172012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.610570908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.610656023 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.611596107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.662780046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.789540052 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.791848898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.791932106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.792618990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.794342041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.794411898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.797318935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.798207998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.798271894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.800023079 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.804477930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.804542065 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.805665016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.805686951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.805757999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.809720993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.809745073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.809792995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.812422037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.812443018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.812505960 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.816364050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.816431999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.816483974 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.817744970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.839632034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.839713097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:42.841620922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.842539072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:42.842598915 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.005353928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.007332087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.007390976 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.010186911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.053364992 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.165162086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.165630102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.172142029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.547012091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.550973892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.551040888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.556197882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.559335947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.559356928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.559375048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.559395075 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.559428930 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.566386938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.570010900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.570074081 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.573724031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.573745012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.573796034 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.577789068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.580152988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.580173016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.580210924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.585156918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.585177898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.585206032 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.590189934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.590215921 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.590250969 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.595205069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.595230103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.595244884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.595257044 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.595299006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.600052118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.647094011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.745347023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.755469084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.755541086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.757462978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.759192944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.759268045 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.761565924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.763623953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.763673067 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.764568090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.768158913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.768198013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.768235922 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.771150112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.771188021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.771224022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.775640965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.775702000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.777488947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.777513027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.777559042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.780428886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.782335043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.782392025 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.783418894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.787702084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.787714958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.787766933 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.791690111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.791748047 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.793453932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:43.793883085 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:43.803050995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.169399023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.171283007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.171360970 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.172009945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.173329115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.173379898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.175034046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.178109884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.178158998 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.178740025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.182482004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.182564020 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.183010101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.184171915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.184221983 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.186297894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.188963890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.189012051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.189438105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.192225933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.192279100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.192760944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.193888903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.193978071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.195235968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.198195934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.198242903 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.198746920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.199843884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.199889898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.201216936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.204205036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.204250097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.204632998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.256478071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.382658958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.384192944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.384272099 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.384793997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.386020899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.386097908 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.386620998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.389792919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.389864922 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.390230894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.391242981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.391465902 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.392895937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.396038055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.396151066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.396431923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.398585081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.398686886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.399060965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.400907993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.400965929 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.401205063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.403597116 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.403673887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.405704021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.405725002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.407965899 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.443702936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.443768024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.541893005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.542673111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.547627926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.923355103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.924705029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.924753904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.925323963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.927592993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.928195953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.928246975 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.928591967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.928634882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.932410002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.932425976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.932491064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.933599949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.934274912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.934324026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.937222958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.937237024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.937293053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.939019918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.940016985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.940083027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.942809105 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.943387985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.944763899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.944827080 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.945714951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.945763111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.948543072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.949552059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.949567080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.949609995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.953355074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.954345942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.954418898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.987590075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.987658978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:44.992361069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:44.992433071 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.139076948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.140393019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.140568972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.140937090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.142616034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.142668962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.143161058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.145087957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.145138979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.145515919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.148327112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.148381948 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.148876905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.149930000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.149981976 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.151123047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.153970003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.154022932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.154546976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.155595064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.155642033 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.156265020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.162906885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.162960052 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.301708937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.302050114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.357074022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.722213030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.722225904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.722434998 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.726609945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.731029987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.731268883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.735498905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.735512018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.735579967 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.739572048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.743093014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.743107080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.743182898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.750154972 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.750171900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.750258923 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.757239103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.757258892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.757323027 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.762240887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.762269020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.762281895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.762346029 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.762373924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.766896009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.766921043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.766988039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.771579981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.771605968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.771663904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.776254892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.776278019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.776349068 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.780870914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.780893087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.780951977 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.785530090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.785551071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.785563946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.785610914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.834760904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.935144901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.936494112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.936669111 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.938491106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.940853119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.940905094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.943205118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.945545912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.945597887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.945758104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.947623014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.947643042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.947669983 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.951484919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.951505899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.951544046 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.955229998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.955243111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.955288887 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.958980083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.958996058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:45.959042072 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.959429026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:45.999720097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.377211094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.380702019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.380760908 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.381299973 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.383562088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.383574009 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.383585930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.383625984 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.383677006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.383951902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.384249926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.384295940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.384829044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.387712002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.387762070 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.388269901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.389488935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.389540911 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.390594959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.393544912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.393596888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.394035101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.395878077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.395900011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.395927906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.398144007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.398189068 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.398598909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.400616884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.400662899 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.400939941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.403816938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.403903008 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.404361963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.405450106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.405499935 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.406721115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.409601927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.409650087 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.410227060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.459614038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.534612894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.584618092 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.590264082 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.591639996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.591691971 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.592009068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.594330072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.594379902 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.594897032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.596580982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.596625090 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.596913099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.599328041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.599380970 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.599925995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.601294994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.601355076 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.602099895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.604295969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.604357004 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.606839895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:46.607194901 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:46.661063910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.036021948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.036667109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.036731958 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.039318085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.039335012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.039395094 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.039865971 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.040916920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.040965080 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.041990995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.044622898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.044680119 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.045028925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.046739101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.046787024 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.047198057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.049349070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.049504995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.049761057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.051464081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.051508904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.051907063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.052746058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.052792072 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.053529024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.055665970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.055717945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.056058884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.057519913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.057569981 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.057760000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.059884071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.059935093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.060275078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.061989069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.062041998 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.062403917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.063195944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.063241959 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.064682961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.067322016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.067382097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.067668915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.068492889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.068542004 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.073265076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.115869999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.246046066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.246490002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.246568918 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.247742891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.248913050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.248924017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.248961926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.251616955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.251630068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.251678944 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.253463984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.253526926 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.255537987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.255551100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.255594969 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.260152102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.260164022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.260216951 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.260550976 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.299942970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.300012112 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.310472012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.680160999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.681437969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.681521893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.684148073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.686666965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.686741114 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.689285994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.689304113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.689315081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.689394951 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.693161964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.693228006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.695346117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.695358992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.695431948 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.700150967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.700162888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.700340986 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.703771114 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.703790903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.703838110 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.708158970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.708184004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.708266973 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.710884094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.710896969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.710906982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.710949898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.713428974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.713440895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.713507891 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.717313051 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.717324972 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.717421055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.719767094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.719779968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.719830036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.723100901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.723114014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.723123074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.723308086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.726089001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.726099968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.726161957 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.728936911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.728950024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.729135036 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.888271093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.888288021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.888394117 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.888667107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.890814066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.890826941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.890872955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.891829014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.891876936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.893435955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.895576954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.895631075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.895658016 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.900528908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:47.900583982 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.900857925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:47.945082903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.321085930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.321811914 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.321885109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.323061943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.324521065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.324573994 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.325932026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.327368975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.327420950 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.328762054 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.328861952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.328908920 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.330015898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.331176996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.331227064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.332288980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.333444118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.333493948 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.334580898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.335726976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.335788012 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.336870909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.337060928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.337105989 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.338004112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.338905096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.338959932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.339839935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.340694904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.340744972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.341624022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.342466116 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.342519999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.343281984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.343460083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.343507051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.344367027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.345082045 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.345128059 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.346188068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.346626997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.346724033 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.348059893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.348443031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.348495960 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.350747108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.352823019 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.352834940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.354686975 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.395586014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.395646095 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.537192106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.537975073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.538048029 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.538100004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.539510012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.539563894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.539853096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.541344881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.541404963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.541675091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.542726040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.542804003 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.548353910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.592369080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.592478991 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.597369909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.973047018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.973820925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.973927021 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.974240065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.975677013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.975733042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.976115942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.977389097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.977447033 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.977878094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.978596926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.978652000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.979214907 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.981091976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.981152058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.981440067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.982873917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.982928038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.983205080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.983874083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.983932972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.984339952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.985791922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.985846996 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.986112118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.987245083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.987298965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.987576008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.988706112 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.988760948 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.989027977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.989636898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.989686012 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.990190983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.991628885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.991704941 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.991961956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.993093014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.993151903 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.993432045 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.994391918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.994450092 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.994820118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.996575117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.996680021 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.996860027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.998435974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:48.998502970 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:48.999155998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.053419113 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.162899017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.183893919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.183990955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.184637070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.185100079 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.185488939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.185734034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.186615944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.186630011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.186666965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.188267946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.188317060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.188683987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.189176083 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.198316097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.573976040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.575038910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.575208902 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.577486038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.579956055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.580018997 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.582463026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.584922075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.584980965 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.585001945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.588871956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.588900089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.588952065 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.592792988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.592812061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.592829943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.592875957 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.592914104 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.596745014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.596765041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.596823931 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.600663900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.600680113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.600738049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.603596926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.603610992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.603668928 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.606559038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.606571913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.606581926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.606625080 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.609510899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.609524012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.609586000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.612462044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.612477064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.612559080 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.615390062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.615401983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.615457058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.618343115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.618355036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.618407965 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.621159077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.621170044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.621180058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.621222973 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.621241093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.624032021 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.624053955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.624149084 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.626104116 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.678471088 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.789212942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.789949894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.790028095 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.791238070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.792690992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.792749882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.794166088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.795562029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.795574903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:49.795631886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.811450958 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:49.845577955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.212023020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.212765932 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.212816000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.213923931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.215193987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.215250015 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.216464043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.217791080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.217834949 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.219064951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.219082117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.219120026 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.220416069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.221240997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.221298933 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.222287893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.222301960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.222342014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.224419117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.224433899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.224483967 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.226514101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.226526976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.226644039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.228523970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.228537083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.228549004 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.228584051 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.230561018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.230642080 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.231380939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.231395006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.231430054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.233038902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.233053923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.233102083 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.234672070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.234688997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.234730005 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.236211061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.237015963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.237030983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.237036943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.237123013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.238495111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.238511086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.238569021 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.239943027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.239957094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.239999056 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.241395950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.241414070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.241451979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.242839098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.288388014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.288544893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.421585083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.422032118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.422137976 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:50.426357031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.426373005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.426382065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:50.426450968 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.119323015 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.124331951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.499145985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.499906063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.499973059 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.500297070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.501590014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.501638889 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.501971006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.503258944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.503308058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.503643036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.504426956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.504484892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.504950047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.506604910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.506658077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.506930113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.508269072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.508313894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.508613110 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.509202957 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.509241104 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.509959936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.511631966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.511701107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.511935949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.513300896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.513365030 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.513598919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.514687061 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.514741898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.514950991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.516644955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.516697884 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.516944885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.518330097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.518388987 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.518644094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.519454956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.519503117 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.519984961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.521670103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.521747112 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.521955013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.523333073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.523407936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.523622990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.524199963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.524262905 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.525041103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.526803017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.526855946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.526953936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.528347015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.528405905 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.528649092 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.529236078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.529284000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.559597969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.559655905 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.714405060 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.739622116 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.739700079 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.739984989 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.744369030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:51.744446039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:51.801489115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.165777922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.168203115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.168275118 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.173043013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.177890062 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.177957058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.182749033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.182764053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.182859898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.190515995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.190531969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.190542936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.190584898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.198257923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.198271990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.198327065 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.205029964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.205045938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.205132008 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.210539103 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.210566044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.210608006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.216017008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.216037989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.216048956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.216075897 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.216108084 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.221513987 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.221532106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.221607924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.226994991 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.227015972 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.227067947 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.232393026 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.232414961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.232460022 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.237164974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.237184048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.237234116 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.241568089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.241581917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.241597891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.241651058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.246035099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.246049881 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.246078014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.250458002 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.250483990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.250539064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.254864931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.254885912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.254992962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.259063959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.259079933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.259092093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.259133101 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.259155035 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.262981892 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.263000011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.263070107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.380997896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.382081985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.387000084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.772865057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.774966955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.775043011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.775911093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.778085947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.778150082 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.780174017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.782345057 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.782358885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.782434940 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.785794020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.785809040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.785883904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.789232016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.789247990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.789309978 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.792671919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.792690992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.792702913 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.792758942 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.792772055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.796083927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.796109915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.796165943 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.798723936 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.798739910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.798799038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.801400900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.801419020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.801479101 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.804054022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.804071903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.804083109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.804119110 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.806636095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.806652069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.806696892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.809247971 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.809261084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.809303999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.811863899 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.811876059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.811918974 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.814361095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.814378977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.814416885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.816632032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.816651106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.816664934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.816688061 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.816709995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.818773031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.818789959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.818876982 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.820899010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.820916891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.820955038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.822993040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.823029041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.823079109 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.922332048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:52.926285982 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:52.931303978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.303908110 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.304270983 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.304368019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.305895090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.305913925 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.305964947 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.306557894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.307688951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.307753086 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.308803082 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.309935093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.310008049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.310105085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.311029911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.311093092 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.311907053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.312804937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.312855959 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.313735008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.314613104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.314671040 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.315588951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.316385031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.316440105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.316534996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.317307949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.317354918 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.318047047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.318854094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.318896055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.319480896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.320523024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.320566893 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.320890903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.321542978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.321588039 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.321892977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.323208094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.323251963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.323523998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.324541092 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.324584961 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.324837923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.325875044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.325927019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.326173067 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.326761007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.326800108 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.327580929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.329184055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.329233885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.329472065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.330882072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.330929041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.331132889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.331648111 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.331688881 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.332547903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.334224939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.334270954 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.336391926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.336404085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.336463928 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.384283066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.384387970 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.465887070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.466810942 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.506786108 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.847718954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.848453999 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.848552942 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.848793030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.849987030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.850040913 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.850529909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.850991964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.851037025 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.852047920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.852060080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.852128983 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.852531910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.853588104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.853636980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.855104923 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.855397940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.855441093 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.856683016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.856950998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.856995106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.857481956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.858257055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.858309984 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.859822989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.860094070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.860143900 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.861174107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.861434937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.861481905 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.862668037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.862912893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.862957001 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.863441944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.864170074 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.864219904 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.865698099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.865957975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.866004944 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.867217064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.867479086 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.867526054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.868179083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.868761063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.868810892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.869956970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.870203972 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.870255947 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.871172905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.871418953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.871474028 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.872371912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.872631073 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.872679949 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.873147964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.873598099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.873648882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.875128984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.877897024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.877911091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.877957106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:53.907593012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:53.907855034 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.024938107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.025397062 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.030270100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.404628038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.405272961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.405360937 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.405539036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.406215906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.406259060 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.407027960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.407046080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.407097101 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.408524036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.408849001 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.408888102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.409472942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.410012007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.410051107 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.411494970 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.411725044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.411763906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.412995100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.413264990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.413300991 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.414222956 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.414505005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.414544106 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.416002035 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.416239977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.416276932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.417483091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.417727947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.417769909 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.418982029 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.419101000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.419137001 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.420469046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.420705080 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.420747042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.421941996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.422224998 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.422266960 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.423465014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.423715115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.423757076 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.424221039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.424968958 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.425004959 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.426431894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.426697969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.426734924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.427635908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.427908897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.427943945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.428848028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.429110050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.429152012 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.429603100 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.430074930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.430116892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.431233883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.431472063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.431510925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.435138941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.490891933 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.585011005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.585517883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.590588093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.951255083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.951623917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.951714993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.953111887 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.953125954 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.953188896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.953411102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.954236984 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.954284906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.954631090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.955713034 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.955806017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.956042051 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.956056118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.956096888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.957257032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.958725929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.958784103 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.958978891 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.960237980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.960289955 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.960469007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.960947990 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.961009979 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.961721897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.963196993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.963330984 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.963443041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.964698076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.964754105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.964952946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.966185093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.966243029 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.966428995 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.966911077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.966974020 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.967711926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.969212055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.969281912 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.969420910 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.970701933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.970769882 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.970942020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.971652031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.971714020 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.972186089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.973385096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.973444939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.973606110 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.974576950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.974641085 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.974828005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.975756884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.975835085 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.976006985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.976480007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.976524115 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.976949930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.978451014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.978501081 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:54.981249094 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.981261969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:54.981328011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.011563063 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.011703014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.113624096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.114131927 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.169188976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.489495039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.489905119 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.489978075 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.490313053 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.491406918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.491424084 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.491475105 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.492934942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.492997885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.493212938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.494395018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.494447947 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.494705915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.495291948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.495342970 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.495848894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.497344017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.497400999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.497595072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.498857975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.499011040 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.499093056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.500329971 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.500397921 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.500570059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.501070023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.501116991 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.501837969 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.503371000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.503441095 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.503607035 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.504853964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.504940033 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.505064011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.505811930 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.505877972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.506318092 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.507832050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.507894993 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.508048058 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.509285927 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.509345055 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.509527922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.510571003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.510623932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.510828018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.512285948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.512367010 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.512521982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.513787985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.513854980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.514018059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.514976978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.515039921 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.515223980 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.515714884 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.515770912 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.516170025 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.517379045 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.517446995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.520486116 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.569108009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.662955046 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:55.663856030 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:55.673541069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.027916908 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.028508902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.028570890 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.028812885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.030006886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.030070066 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.030318022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.031523943 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.031579018 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.031843901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.032615900 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.032660007 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.033051014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.034557104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.034625053 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.034790039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.036046028 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.036108017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.036283016 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.037369967 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.037431002 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.037520885 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.038786888 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.038826942 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.039021015 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.039979935 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.040020943 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.040219069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.041202068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.041271925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.041434050 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.042198896 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.042238951 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.042423010 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.046209097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.046224117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.046235085 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.046240091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.046295881 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.046319962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.046943903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.047003984 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.047185898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.048455000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.048496962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.048695087 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.049940109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.049984932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.050204992 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.051472902 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.051553011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.051721096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.052972078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.053023100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.053241014 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.053695917 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.053755045 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.054475069 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.058470964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.058542013 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.189673901 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.190063953 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.212974072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.567790031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.568494081 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.568579912 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.568794012 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.569876909 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.569936037 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.570183039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.571273088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.571350098 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.571584940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.572679996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.572738886 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.572958946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.573587894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.573642969 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.574162006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.575412989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.575470924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.575676918 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.576771975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.576826096 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.577059031 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.577897072 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.577953100 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.578176022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.578624964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.578680038 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.579042912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.580167055 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.580226898 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.580405951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.581238985 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.581291914 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.581481934 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.583131075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.583195925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.583348036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.583810091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.583875895 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.584475994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.585858107 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.585916042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.586093903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.587245941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.587296009 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.587488890 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.588531971 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.588583946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.588764906 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.589883089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.589937925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.590094090 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.591126919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.591178894 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.591409922 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.592461109 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.592509985 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.592675924 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.593491077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.593540907 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.726912022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:56.738326073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:56.743354082 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.113431931 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.114061117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.114137888 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.114379883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.115314960 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.115366936 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.115770102 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.116210938 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.116255999 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.117091894 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.117105961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.117155075 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.118421078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.118711948 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.118751049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.119299889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.119617939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.119659901 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.120918036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.121154070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.121197939 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.122262955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.122492075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.122533083 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.123558044 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.123795033 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.123847961 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.124783993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.124998093 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.125068903 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.125983000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.126060963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.126108885 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.127294064 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.127532959 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.127582073 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.128597975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.128849030 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.128895044 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.129849911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.130093098 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.130137920 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.131161928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.132407904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.132421017 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.132463932 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.132664919 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.132714033 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.133137941 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.134706974 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.134768963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.135282993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.135296106 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.135349035 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.136449099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.137319088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.137332916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.137382030 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.140193939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.140206099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.140260935 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.175774097 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.175909042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.275506020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.275896072 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.281430006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.656420946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.656759024 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.656857014 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.658036947 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.658068895 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.658127069 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.658613920 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.659681082 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.659697056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.659739017 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.660680056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.660764933 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.660926104 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.661453962 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.661509991 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.661947966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.666759968 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.666775942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.666788101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.666800976 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.666847944 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.666903019 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.667064905 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.667078972 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.667090893 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.667104006 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.667119980 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.667146921 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.668211937 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.668278933 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.668428898 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.669996023 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.670007944 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.670062065 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.671123981 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.671138048 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.671190977 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.671869993 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.671928883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.672002077 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.673306942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.673371077 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.673757076 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.674788952 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.674834013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.674849987 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.675848007 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.675908089 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.676120043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.676635027 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.676692963 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.677721977 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.682202101 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.682214975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.682224989 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.682230949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.682293892 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.683068037 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.683080912 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.683125973 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.683442116 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.721589088 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:57.721672058 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:57.726433039 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.099442005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.099462032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.099528074 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.100022078 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.101624966 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.101639032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.101650000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.101702929 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.101721048 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.102601051 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.102623940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.102636099 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.102648020 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.102690935 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.102718115 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.105195045 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.105309963 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.105349064 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.106806040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.106817961 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.106853008 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.107302904 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.108159065 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.108202934 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.109014988 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.109360933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.109435081 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.110393047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.110457897 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.110491991 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.111463070 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.111804008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.111844063 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.112333059 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.113235950 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.113255978 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.113276958 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.113548040 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.113584042 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.114049911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.114579916 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.114615917 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.115411997 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.115586996 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.115626097 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.116019011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.116519928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.116556883 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.117387056 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.117738008 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.117775917 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.118419886 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.118697882 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.118840933 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.120049000 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.120424032 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.120475054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.121896982 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.123433113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.123450994 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.123491049 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:58.259707928 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:58.303365946 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.326884031 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.332159042 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.335933924 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.340930939 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.708858013 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.712568045 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.712668896 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.716397047 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.720276117 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.720292091 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.720360041 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.728107929 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.728189945 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.730402946 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.730420113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.730468035 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.735286951 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.735305071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.735317945 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.735393047 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.740168095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.740187883 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.740247011 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.744900942 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.744923115 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.744976997 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.749604940 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.749636889 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.749687910 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.754230022 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.754252911 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.754298925 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.758758068 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.758821964 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.758841038 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.758863926 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.758908987 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.763345003 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.763369083 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.763421059 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.767272949 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.767307043 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.767416000 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.771116018 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.771151066 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.771214962 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.773124933 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.773149967 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.775156975 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.775206089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.775285006 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.778875113 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.778928041 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.778963089 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.779016972 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.779042959 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.782716036 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.782768011 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.782938957 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.785975933 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.785990953 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.786065102 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.789694071 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.789716005 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.789729118 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.789787054 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.789813995 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.794734955 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.794753075 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.868793964 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.869060040 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.879213095 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.947022915 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.948483944 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.953406096 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.953476906 CEST497118237192.168.2.1145.125.48.89
                    May 18, 2024 03:38:59.958916903 CEST82374971145.125.48.89192.168.2.11
                    May 18, 2024 03:38:59.959667921 CEST497118237192.168.2.1145.125.48.89

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:21:36:52
                    Start date:17/05/2024
                    Path:C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe"
                    Imagebase:0x400000
                    File size:14'038'624 bytes
                    MD5 hash:5D84E6ED7D8E9B89FAE2771D6870393E
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:21:36:53
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\Dism.exe
                    Wow64 process (32bit):true
                    Commandline:dism /mount-wim /wimfile:"C:\Users\user\AppData\Local\Temp\System.wim" /index:1 /mountdir:"C:\Users\user\AppData\Local\Temp\System"
                    Imagebase:0x9d0000
                    File size:225'104 bytes
                    MD5 hash:C100B8F80EE9C3E4D4448634025910B5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:3
                    Start time:21:36:53
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff68cce0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:21:36:54
                    Start date:17/05/2024
                    Path:C:\Windows\System32\drivers\wimmount.sys
                    Wow64 process (32bit):
                    Commandline:
                    Imagebase:
                    File size:39'760 bytes
                    MD5 hash:416B0938189ED0D4A8B5BBBE3F045269
                    Has elevated privileges:
                    Has administrator privileges:
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:5
                    Start time:21:36:54
                    Start date:17/05/2024
                    Path:C:\Windows\System32\wimserv.exe
                    Wow64 process (32bit):false
                    Commandline:wimserv.exe a87a5149-c7b0-4e41-bd88-ef52e4b1f2cb
                    Imagebase:0x7ff69c350000
                    File size:522'064 bytes
                    MD5 hash:7477F87C3C1D7633A0E003BE6AA01020
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:6
                    Start time:21:36:55
                    Start date:17/05/2024
                    Path:C:\Users\user\AppData\Local\Temp\7z.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\7z.exe x LInstSvr.7z -oC:\Windows -pa123456789 -y
                    Imagebase:0x1d0000
                    File size:309'720 bytes
                    MD5 hash:36A3807A11DF584777165172C71797EE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000003.1419070470.0000000003C95000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 0%, ReversingLabs
                    • Detection: 0%, Virustotal, Browse
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:7
                    Start time:21:36:55
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff68cce0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:21:36:57
                    Start date:17/05/2024
                    Path:C:\Users\user\AppData\Local\Temp\7z.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\7z.exe x winrdlv3.rar -oC:\Windows\system32 -pa123456789 -y
                    Imagebase:0x1d0000
                    File size:309'720 bytes
                    MD5 hash:36A3807A11DF584777165172C71797EE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:9
                    Start time:21:36:57
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff68cce0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:10
                    Start time:21:36:58
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
                    Imagebase:0xc30000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:12
                    Start time:21:36:58
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff68cce0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:13
                    Start time:21:36:58
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\netsh.exe
                    Wow64 process (32bit):true
                    Commandline:netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
                    Imagebase:0x10d0000
                    File size:82'432 bytes
                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:14
                    Start time:21:36:58
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
                    Imagebase:0xc30000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:15
                    Start time:21:36:58
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff68cce0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:16
                    Start time:21:36:58
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\netsh.exe
                    Wow64 process (32bit):true
                    Commandline:netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
                    Imagebase:0x10d0000
                    File size:82'432 bytes
                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:17
                    Start time:21:36:58
                    Start date:17/05/2024
                    Path:C:\Program Files (x86)\Common Files\System\systecv3.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE
                    Imagebase:0x400000
                    File size:2'421'224 bytes
                    MD5 hash:B9E0A7CBD7FDB4D179172DBDD453495A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 4%, ReversingLabs
                    • Detection: 4%, Virustotal, Browse
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:18
                    Start time:21:36:59
                    Start date:17/05/2024
                    Path:C:\Program Files (x86)\Common Files\System\winrdgv3.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
                    Imagebase:0x400000
                    File size:1'802'728 bytes
                    MD5 hash:97AC3EF2E098C4CB7DD6EC1D14DC28F1
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 4%, ReversingLabs
                    • Detection: 4%, Virustotal, Browse
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:19
                    Start time:21:36:59
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\winrdlv3.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
                    Imagebase:0x400000
                    File size:58'640 bytes
                    MD5 hash:0CBEB75D3090054817EA4DF0773AFE35
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 0%, ReversingLabs
                    • Detection: 3%, Virustotal, Browse
                    Has exited:false

                    General

                    Target ID:20
                    Start time:21:36:59
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\winrdlv3.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
                    Imagebase:0x400000
                    File size:58'640 bytes
                    MD5 hash:0CBEB75D3090054817EA4DF0773AFE35
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:false

                    General

                    Target ID:21
                    Start time:21:36:59
                    Start date:17/05/2024
                    Path:C:\Program Files (x86)\Common Files\System\winrdgv3.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE
                    Imagebase:0x400000
                    File size:1'802'728 bytes
                    MD5 hash:97AC3EF2E098C4CB7DD6EC1D14DC28F1
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:22
                    Start time:21:37:01
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\winrdlv3.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\system32\winrdlv3.exe" SW_HIDE
                    Imagebase:0x400000
                    File size:58'640 bytes
                    MD5 hash:0CBEB75D3090054817EA4DF0773AFE35
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:23
                    Start time:21:37:01
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\Dism.exe
                    Wow64 process (32bit):true
                    Commandline:Dism /Unmount-Wim /MountDir:"C:\Users\user\AppData\Local\Temp\System" /commit
                    Imagebase:0x9d0000
                    File size:225'104 bytes
                    MD5 hash:C100B8F80EE9C3E4D4448634025910B5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:24
                    Start time:21:37:01
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff68cce0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:25
                    Start time:21:37:03
                    Start date:17/05/2024
                    Path:C:\Windows\System32\svchost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
                    Imagebase:0x7ff68dea0000
                    File size:55'320 bytes
                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:26
                    Start time:21:37:04
                    Start date:17/05/2024
                    Path:C:\Windows\System32\drivers\nwifi.sys
                    Wow64 process (32bit):
                    Commandline:
                    Imagebase:
                    File size:757'760 bytes
                    MD5 hash:8CA2DD9A18327EFBD5D7E8E099E36BD4
                    Has elevated privileges:
                    Has administrator privileges:
                    Programmed in:C, C++ or other language
                    Has exited:false

                    General

                    Target ID:27
                    Start time:21:37:04
                    Start date:17/05/2024
                    Path:C:\Windows\System32\drivers\ndisuio.sys
                    Wow64 process (32bit):
                    Commandline:
                    Imagebase:
                    File size:70'656 bytes
                    MD5 hash:09BD40437780ED584D06519373ACEDC7
                    Has elevated privileges:
                    Has administrator privileges:
                    Programmed in:C, C++ or other language
                    Has exited:false

                    General

                    Target ID:28
                    Start time:21:37:04
                    Start date:17/05/2024
                    Path:C:\Windows\System32\svchost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p
                    Imagebase:0x7ff68dea0000
                    File size:55'320 bytes
                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:false

                    General

                    Target ID:29
                    Start time:21:37:04
                    Start date:17/05/2024
                    Path:C:\Windows\System32\regsvr32.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
                    Imagebase:0x7ff600e00000
                    File size:25'088 bytes
                    MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:30
                    Start time:21:37:05
                    Start date:17/05/2024
                    Path:C:\Windows\System32\svchost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                    Imagebase:0x7ff68dea0000
                    File size:55'320 bytes
                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                    Has elevated privileges:true
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:false

                    General

                    Target ID:31
                    Start time:21:37:27
                    Start date:17/05/2024
                    Path:C:\Windows\System32\svchost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                    Imagebase:0x7ff68dea0000
                    File size:55'320 bytes
                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                    Has elevated privileges:true
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:18.7%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:22.5%
                      Total number of Nodes:1222
                      Total number of Limit Nodes:26
                      execution_graph 3232 4019c0 3233 4029ff 18 API calls 3232->3233 3234 4019c7 3233->3234 3235 4029ff 18 API calls 3234->3235 3236 4019d0 3235->3236 3237 4019d7 lstrcmpiA 3236->3237 3238 4019e9 lstrcmpA 3236->3238 3239 4019dd 3237->3239 3238->3239 3240 4022c2 3241 4022f2 3240->3241 3242 4022c7 3240->3242 3244 4029ff 18 API calls 3241->3244 3251 402b09 3242->3251 3246 4022f9 3244->3246 3245 4022ce 3247 4029ff 18 API calls 3245->3247 3248 40230f 3245->3248 3255 402a3f RegOpenKeyExA 3246->3255 3249 4022df RegDeleteValueA RegCloseKey 3247->3249 3249->3248 3252 4029ff 18 API calls 3251->3252 3253 402b22 3252->3253 3254 402b30 RegOpenKeyExA 3253->3254 3254->3245 3256 402a6a 3255->3256 3262 402ab6 3255->3262 3257 402a90 RegEnumKeyA 3256->3257 3258 402aa2 RegCloseKey 3256->3258 3260 402ac7 RegCloseKey 3256->3260 3263 402a3f 3 API calls 3256->3263 3257->3256 3257->3258 3259 40602d 3 API calls 3258->3259 3261 402ab2 3259->3261 3260->3262 3261->3262 3264 402ae2 RegDeleteKeyA 3261->3264 3262->3248 3263->3256 3264->3262 3265 402b44 3266 402b53 SetTimer 3265->3266 3267 402b6c 3265->3267 3266->3267 3268 402bba 3267->3268 3269 402bc0 MulDiv 3267->3269 3270 402b7a wsprintfA SetWindowTextA SetDlgItemTextA 3269->3270 3270->3268 3272 402647 3273 4029ff 18 API calls 3272->3273 3274 40264e FindFirstFileA 3273->3274 3275 402671 3274->3275 3279 402661 3274->3279 3280 405c60 wsprintfA 3275->3280 3277 402678 3281 405d02 lstrcpynA 3277->3281 3280->3277 3281->3279 3282 403749 3283 403754 3282->3283 3284 403758 3283->3284 3285 40375b GlobalAlloc 3283->3285 3285->3284 3289 4023ca 3290 402b09 19 API calls 3289->3290 3291 4023d4 3290->3291 3292 4029ff 18 API calls 3291->3292 3293 4023dd 3292->3293 3294 4023e7 RegQueryValueExA 3293->3294 3295 402665 3293->3295 3296 402407 3294->3296 3297 40240d RegCloseKey 3294->3297 3296->3297 3300 405c60 wsprintfA 3296->3300 3297->3295 3300->3297 3301 401ccc GetDlgItem GetClientRect 3302 4029ff 18 API calls 3301->3302 3303 401cfc LoadImageA SendMessageA 3302->3303 3304 401d1a DeleteObject 3303->3304 3305 402894 3303->3305 3304->3305 3306 401650 3307 4029ff 18 API calls 3306->3307 3308 401657 3307->3308 3309 4029ff 18 API calls 3308->3309 3310 401660 3309->3310 3311 4029ff 18 API calls 3310->3311 3312 401669 MoveFileA 3311->3312 3313 401675 3312->3313 3314 40167c 3312->3314 3316 401423 25 API calls 3313->3316 3315 406006 2 API calls 3314->3315 3318 402183 3314->3318 3317 40168b 3315->3317 3316->3318 3317->3318 3319 405bb6 40 API calls 3317->3319 3319->3313 3320 4024d3 3321 4024d8 3320->3321 3322 4024e9 3320->3322 3323 4029e2 18 API calls 3321->3323 3324 4029ff 18 API calls 3322->3324 3326 4024df 3323->3326 3325 4024f0 lstrlenA 3324->3325 3325->3326 3327 40250f WriteFile 3326->3327 3328 402665 3326->3328 3327->3328 3329 4025d5 3330 4025dc 3329->3330 3333 402841 3329->3333 3331 4029e2 18 API calls 3330->3331 3332 4025e7 3331->3332 3334 4025ee SetFilePointer 3332->3334 3334->3333 3335 4025fe 3334->3335 3337 405c60 wsprintfA 3335->3337 3337->3333 2721 4014d6 2726 4029e2 2721->2726 2723 4014dc Sleep 2725 402894 2723->2725 2727 405d24 18 API calls 2726->2727 2728 4029f6 2727->2728 2728->2723 2729 401dd8 2730 4029ff 18 API calls 2729->2730 2731 401dde 2730->2731 2732 4029ff 18 API calls 2731->2732 2733 401de7 2732->2733 2734 4029ff 18 API calls 2733->2734 2735 401df0 2734->2735 2736 4029ff 18 API calls 2735->2736 2737 401df9 2736->2737 2738 401423 25 API calls 2737->2738 2739 401e00 ShellExecuteA 2738->2739 2740 401e2d 2739->2740 3338 40155b 3339 401577 ShowWindow 3338->3339 3340 40157e 3338->3340 3339->3340 3341 402894 3340->3341 3342 40158c ShowWindow 3340->3342 3342->3341 3343 401edc 3344 4029ff 18 API calls 3343->3344 3345 401ee3 GetFileVersionInfoSizeA 3344->3345 3346 401f06 GlobalAlloc 3345->3346 3348 401f5c 3345->3348 3347 401f1a GetFileVersionInfoA 3346->3347 3346->3348 3347->3348 3349 401f2b VerQueryValueA 3347->3349 3349->3348 3350 401f44 3349->3350 3354 405c60 wsprintfA 3350->3354 3352 401f50 3355 405c60 wsprintfA 3352->3355 3354->3352 3355->3348 3356 404f61 3357 404f71 3356->3357 3358 404f85 3356->3358 3359 404fce 3357->3359 3360 404f77 3357->3360 3361 404f8d IsWindowVisible 3358->3361 3367 404fa4 3358->3367 3362 404fd3 CallWindowProcA 3359->3362 3363 40403c SendMessageA 3360->3363 3361->3359 3364 404f9a 3361->3364 3365 404f81 3362->3365 3363->3365 3369 4048b8 SendMessageA 3364->3369 3367->3362 3374 404938 3367->3374 3370 404917 SendMessageA 3369->3370 3371 4048db GetMessagePos ScreenToClient SendMessageA 3369->3371 3373 40490f 3370->3373 3372 404914 3371->3372 3371->3373 3372->3370 3373->3367 3383 405d02 lstrcpynA 3374->3383 3376 40494b 3384 405c60 wsprintfA 3376->3384 3378 404955 3379 40140b 2 API calls 3378->3379 3380 40495e 3379->3380 3385 405d02 lstrcpynA 3380->3385 3382 404965 3382->3359 3383->3376 3384->3378 3385->3382 3391 4018e3 3392 40191a 3391->3392 3393 4029ff 18 API calls 3392->3393 3394 40191f 3393->3394 3395 4055c2 71 API calls 3394->3395 3396 401928 3395->3396 3397 4018e6 3398 4029ff 18 API calls 3397->3398 3399 4018ed 3398->3399 3400 405516 MessageBoxIndirectA 3399->3400 3401 4018f6 3400->3401 3402 4043e7 3403 4043f7 3402->3403 3404 40441d 3402->3404 3409 403ff0 3403->3409 3412 404057 3404->3412 3407 404404 SetDlgItemTextA 3407->3404 3410 405d24 18 API calls 3409->3410 3411 403ffb SetDlgItemTextA 3410->3411 3411->3407 3413 4040f8 3412->3413 3414 40406f GetWindowLongA 3412->3414 3414->3413 3415 404080 3414->3415 3416 404092 3415->3416 3417 40408f GetSysColor 3415->3417 3418 4040a2 SetBkMode 3416->3418 3419 404098 SetTextColor 3416->3419 3417->3416 3420 4040c0 3418->3420 3421 4040ba GetSysColor 3418->3421 3419->3418 3422 4040d1 3420->3422 3423 4040c7 SetBkColor 3420->3423 3421->3420 3422->3413 3424 4040e4 DeleteObject 3422->3424 3425 4040eb CreateBrushIndirect 3422->3425 3423->3422 3424->3425 3425->3413 2741 401f68 2742 401f7a 2741->2742 2743 402028 2741->2743 2744 4029ff 18 API calls 2742->2744 2745 401423 25 API calls 2743->2745 2746 401f81 2744->2746 2752 402183 2745->2752 2747 4029ff 18 API calls 2746->2747 2748 401f8a 2747->2748 2749 401f92 GetModuleHandleA 2748->2749 2750 401f9f LoadLibraryExA 2748->2750 2749->2750 2751 401faf GetProcAddress 2749->2751 2750->2743 2750->2751 2753 401ffb 2751->2753 2754 401fbe 2751->2754 2755 404fed 25 API calls 2753->2755 2756 401423 25 API calls 2754->2756 2757 401fce 2754->2757 2755->2757 2756->2757 2757->2752 2758 40201c FreeLibrary 2757->2758 2758->2752 3426 40496a GetDlgItem GetDlgItem 3427 4049bc 7 API calls 3426->3427 3441 404bd4 3426->3441 3428 404a52 SendMessageA 3427->3428 3429 404a5f DeleteObject 3427->3429 3428->3429 3430 404a68 3429->3430 3432 404a9f 3430->3432 3435 405d24 18 API calls 3430->3435 3431 404cb8 3434 404d64 3431->3434 3437 404bc7 3431->3437 3444 404d11 SendMessageA 3431->3444 3433 403ff0 19 API calls 3432->3433 3436 404ab3 3433->3436 3438 404d76 3434->3438 3439 404d6e SendMessageA 3434->3439 3440 404a81 SendMessageA SendMessageA 3435->3440 3443 403ff0 19 API calls 3436->3443 3445 404057 8 API calls 3437->3445 3447 404d88 ImageList_Destroy 3438->3447 3448 404d8f 3438->3448 3456 404d9f 3438->3456 3439->3438 3440->3430 3441->3431 3442 4048b8 5 API calls 3441->3442 3455 404c45 3441->3455 3442->3455 3459 404ac1 3443->3459 3444->3437 3450 404d26 SendMessageA 3444->3450 3451 404f5a 3445->3451 3446 404caa SendMessageA 3446->3431 3447->3448 3452 404d98 GlobalFree 3448->3452 3448->3456 3449 404f0e 3449->3437 3457 404f20 ShowWindow GetDlgItem ShowWindow 3449->3457 3454 404d39 3450->3454 3452->3456 3453 404b95 GetWindowLongA SetWindowLongA 3458 404bae 3453->3458 3465 404d4a SendMessageA 3454->3465 3455->3431 3455->3446 3456->3449 3469 404938 4 API calls 3456->3469 3473 404dda 3456->3473 3457->3437 3460 404bb4 ShowWindow 3458->3460 3461 404bcc 3458->3461 3459->3453 3464 404b10 SendMessageA 3459->3464 3466 404b8f 3459->3466 3467 404b4c SendMessageA 3459->3467 3468 404b5d SendMessageA 3459->3468 3477 404025 SendMessageA 3460->3477 3478 404025 SendMessageA 3461->3478 3464->3459 3465->3434 3466->3453 3466->3458 3467->3459 3468->3459 3469->3473 3470 404ee4 InvalidateRect 3470->3449 3471 404efa 3470->3471 3479 4047d6 3471->3479 3472 404e08 SendMessageA 3476 404e1e 3472->3476 3473->3472 3473->3476 3475 404e92 SendMessageA SendMessageA 3475->3476 3476->3470 3476->3475 3477->3437 3478->3441 3480 4047f0 3479->3480 3481 405d24 18 API calls 3480->3481 3482 404825 3481->3482 3483 405d24 18 API calls 3482->3483 3484 404830 3483->3484 3485 405d24 18 API calls 3484->3485 3486 404861 lstrlenA wsprintfA SetDlgItemTextA 3485->3486 3486->3449 3487 40286f SendMessageA 3488 402894 3487->3488 3489 402889 InvalidateRect 3487->3489 3489->3488 3490 404770 3491 404780 3490->3491 3492 40479c 3490->3492 3501 4054fa GetDlgItemTextA 3491->3501 3494 4047a2 SHGetPathFromIDListA 3492->3494 3495 4047cf 3492->3495 3497 4047b9 SendMessageA 3494->3497 3498 4047b2 3494->3498 3496 40478d SendMessageA 3496->3492 3497->3495 3499 40140b 2 API calls 3498->3499 3499->3497 3501->3496 3502 4014f0 SetForegroundWindow 3503 402894 3502->3503 3504 401af0 3505 4029ff 18 API calls 3504->3505 3506 401af7 3505->3506 3507 4029e2 18 API calls 3506->3507 3508 401b00 wsprintfA 3507->3508 3509 402894 3508->3509 3510 4019f1 3511 4029ff 18 API calls 3510->3511 3512 4019fa ExpandEnvironmentStringsA 3511->3512 3513 401a0e 3512->3513 3515 401a21 3512->3515 3514 401a13 lstrcmpA 3513->3514 3513->3515 3514->3515 3516 401c78 3517 4029e2 18 API calls 3516->3517 3518 401c7e IsWindow 3517->3518 3519 4019e1 3518->3519 3520 4014fe 3521 401506 3520->3521 3523 401519 3520->3523 3522 4029e2 18 API calls 3521->3522 3522->3523 3524 401000 3525 401037 BeginPaint GetClientRect 3524->3525 3526 40100c DefWindowProcA 3524->3526 3528 4010f3 3525->3528 3529 401179 3526->3529 3530 401073 CreateBrushIndirect FillRect DeleteObject 3528->3530 3531 4010fc 3528->3531 3530->3528 3532 401102 CreateFontIndirectA 3531->3532 3533 401167 EndPaint 3531->3533 3532->3533 3534 401112 6 API calls 3532->3534 3533->3529 3534->3533 3535 402281 3536 4029ff 18 API calls 3535->3536 3537 402292 3536->3537 3538 4029ff 18 API calls 3537->3538 3539 40229b 3538->3539 3540 4029ff 18 API calls 3539->3540 3541 4022a5 GetPrivateProfileStringA 3540->3541 3542 404104 lstrcpynA lstrlenA 3543 402604 3544 402894 3543->3544 3545 40260b 3543->3545 3546 402611 FindClose 3545->3546 3546->3544 3547 401705 3548 4029ff 18 API calls 3547->3548 3549 40170c SearchPathA 3548->3549 3550 401727 3549->3550 3551 402685 3552 4029ff 18 API calls 3551->3552 3553 402693 3552->3553 3554 4026a9 3553->3554 3556 4029ff 18 API calls 3553->3556 3555 40596e 2 API calls 3554->3555 3557 4026af 3555->3557 3556->3554 3577 405993 GetFileAttributesA CreateFileA 3557->3577 3559 4026bc 3560 402765 3559->3560 3561 4026c8 GlobalAlloc 3559->3561 3564 402780 3560->3564 3565 40276d DeleteFileA 3560->3565 3562 4026e1 3561->3562 3563 40275c CloseHandle 3561->3563 3578 4031f0 SetFilePointer 3562->3578 3563->3560 3565->3564 3567 4026e7 3568 4031da ReadFile 3567->3568 3569 4026f0 GlobalAlloc 3568->3569 3570 402700 3569->3570 3571 402734 WriteFile GlobalFree 3569->3571 3573 402f43 42 API calls 3570->3573 3572 402f43 42 API calls 3571->3572 3574 402759 3572->3574 3576 40270d 3573->3576 3574->3563 3575 40272b GlobalFree 3575->3571 3576->3575 3577->3559 3578->3567 2883 401389 2885 401390 2883->2885 2884 4013fe 2885->2884 2886 4013cb MulDiv SendMessageA 2885->2886 2886->2885 3170 40218c 3171 4029ff 18 API calls 3170->3171 3172 402192 3171->3172 3173 4029ff 18 API calls 3172->3173 3174 40219b 3173->3174 3175 4029ff 18 API calls 3174->3175 3176 4021a4 3175->3176 3177 406006 2 API calls 3176->3177 3178 4021ad 3177->3178 3179 4021be lstrlenA lstrlenA 3178->3179 3184 4021b1 3178->3184 3181 404fed 25 API calls 3179->3181 3180 404fed 25 API calls 3183 4021b9 3180->3183 3182 4021fa SHFileOperationA 3181->3182 3182->3183 3182->3184 3184->3180 3184->3183 3579 40280c 3580 4029e2 18 API calls 3579->3580 3581 402812 3580->3581 3582 402843 3581->3582 3583 402665 3581->3583 3585 402820 3581->3585 3582->3583 3584 405d24 18 API calls 3582->3584 3584->3583 3585->3583 3587 405c60 wsprintfA 3585->3587 3587->3583 3588 401490 3589 404fed 25 API calls 3588->3589 3590 401497 3589->3590 3591 401595 3592 4029ff 18 API calls 3591->3592 3593 40159c SetFileAttributesA 3592->3593 3594 4015ae 3593->3594 3595 401c95 3596 4029e2 18 API calls 3595->3596 3597 401c9c 3596->3597 3598 4029e2 18 API calls 3597->3598 3599 401ca4 GetDlgItem 3598->3599 3600 4024cd 3599->3600 2759 401918 2760 40191a 2759->2760 2761 4029ff 18 API calls 2760->2761 2762 40191f 2761->2762 2765 4055c2 2762->2765 2802 405880 2765->2802 2768 405601 2782 40572f 2768->2782 2816 405d02 lstrcpynA 2768->2816 2769 4055ea DeleteFileA 2774 401928 2769->2774 2771 405627 2772 40563a 2771->2772 2773 40562d lstrcatA 2771->2773 2817 4057d9 lstrlenA 2772->2817 2775 405640 2773->2775 2778 40564e lstrcatA 2775->2778 2780 405659 lstrlenA FindFirstFileA 2775->2780 2778->2780 2780->2782 2800 40567d 2780->2800 2782->2774 2835 406006 FindFirstFileA 2782->2835 2784 4057bd CharNextA 2784->2800 2785 40557a 5 API calls 2786 405769 2785->2786 2787 405783 2786->2787 2788 40576d 2786->2788 2791 404fed 25 API calls 2787->2791 2788->2774 2793 404fed 25 API calls 2788->2793 2789 40570e FindNextFileA 2792 405726 FindClose 2789->2792 2789->2800 2791->2774 2792->2782 2794 40577a 2793->2794 2795 405bb6 40 API calls 2794->2795 2795->2774 2797 4055c2 64 API calls 2797->2800 2798 404fed 25 API calls 2798->2789 2799 404fed 25 API calls 2799->2800 2800->2784 2800->2789 2800->2797 2800->2798 2800->2799 2821 405d02 lstrcpynA 2800->2821 2822 40557a 2800->2822 2830 405bb6 2800->2830 2841 405d02 lstrcpynA 2802->2841 2804 405891 2805 40582b 4 API calls 2804->2805 2806 405897 2805->2806 2807 4055e2 2806->2807 2808 405f6d 5 API calls 2806->2808 2807->2768 2807->2769 2814 4058a7 2808->2814 2809 4058d2 lstrlenA 2810 4058dd 2809->2810 2809->2814 2812 405792 3 API calls 2810->2812 2811 406006 2 API calls 2811->2814 2813 4058e2 GetFileAttributesA 2812->2813 2813->2807 2814->2807 2814->2809 2814->2811 2815 4057d9 2 API calls 2814->2815 2815->2809 2816->2771 2818 4057e6 2817->2818 2819 4057f7 2818->2819 2820 4057eb CharPrevA 2818->2820 2819->2775 2820->2818 2820->2819 2821->2800 2842 40596e GetFileAttributesA 2822->2842 2825 4055a7 2825->2800 2826 405595 RemoveDirectoryA 2828 4055a3 2826->2828 2827 40559d DeleteFileA 2827->2828 2828->2825 2829 4055b3 SetFileAttributesA 2828->2829 2829->2825 2845 40602d GetModuleHandleA 2830->2845 2834 405bde 2834->2800 2836 405753 2835->2836 2837 40601c FindClose 2835->2837 2836->2774 2838 405792 lstrlenA CharPrevA 2836->2838 2837->2836 2839 40575d 2838->2839 2840 4057ac lstrcatA 2838->2840 2839->2785 2840->2839 2841->2804 2843 405980 SetFileAttributesA 2842->2843 2844 405586 2842->2844 2843->2844 2844->2825 2844->2826 2844->2827 2846 406054 GetProcAddress 2845->2846 2847 406049 LoadLibraryA 2845->2847 2848 405bbd 2846->2848 2847->2846 2847->2848 2848->2834 2849 405a3a lstrcpyA 2848->2849 2850 405a63 2849->2850 2851 405a89 GetShortPathNameA 2849->2851 2874 405993 GetFileAttributesA CreateFileA 2850->2874 2853 405bb0 2851->2853 2854 405a9e 2851->2854 2853->2834 2854->2853 2856 405aa6 wsprintfA 2854->2856 2855 405a6d CloseHandle GetShortPathNameA 2855->2853 2857 405a81 2855->2857 2858 405d24 18 API calls 2856->2858 2857->2851 2857->2853 2859 405ace 2858->2859 2875 405993 GetFileAttributesA CreateFileA 2859->2875 2861 405adb 2861->2853 2862 405aea GetFileSize GlobalAlloc 2861->2862 2863 405ba9 CloseHandle 2862->2863 2864 405b0c 2862->2864 2863->2853 2876 405a0b ReadFile 2864->2876 2869 405b2b lstrcpyA 2872 405b4d 2869->2872 2870 405b3f 2871 4058f8 4 API calls 2870->2871 2871->2872 2873 405b84 SetFilePointer WriteFile GlobalFree 2872->2873 2873->2863 2874->2855 2875->2861 2877 405a29 2876->2877 2877->2863 2878 4058f8 lstrlenA 2877->2878 2879 405939 lstrlenA 2878->2879 2880 405941 2879->2880 2881 405912 lstrcmpiA 2879->2881 2880->2869 2880->2870 2881->2880 2882 405930 CharNextA 2881->2882 2882->2879 2887 403699 2888 4036b4 2887->2888 2889 4036aa CloseHandle 2887->2889 2890 4036c8 2888->2890 2891 4036be CloseHandle 2888->2891 2889->2888 2896 4036f6 2890->2896 2891->2890 2894 4055c2 71 API calls 2895 4036d9 2894->2895 2897 403704 2896->2897 2898 403709 FreeLibrary GlobalFree 2897->2898 2899 4036cd 2897->2899 2898->2898 2898->2899 2899->2894 3601 40251b 3602 4029e2 18 API calls 3601->3602 3605 402525 3602->3605 3603 40258f 3604 405a0b ReadFile 3604->3605 3605->3603 3605->3604 3606 402591 3605->3606 3608 4025a1 3605->3608 3610 405c60 wsprintfA 3606->3610 3608->3603 3609 4025b7 SetFilePointer 3608->3609 3609->3603 3610->3603 3611 403b1d 3612 403c70 3611->3612 3613 403b35 3611->3613 3615 403c81 GetDlgItem GetDlgItem 3612->3615 3616 403cc1 3612->3616 3613->3612 3614 403b41 3613->3614 3617 403b4c SetWindowPos 3614->3617 3618 403b5f 3614->3618 3619 403ff0 19 API calls 3615->3619 3620 403d1b 3616->3620 3628 401389 2 API calls 3616->3628 3617->3618 3622 403b64 ShowWindow 3618->3622 3623 403b7c 3618->3623 3624 403cab SetClassLongA 3619->3624 3621 40403c SendMessageA 3620->3621 3641 403c6b 3620->3641 3649 403d2d 3621->3649 3622->3623 3625 403b84 DestroyWindow 3623->3625 3626 403b9e 3623->3626 3627 40140b 2 API calls 3624->3627 3678 403f79 3625->3678 3629 403ba3 SetWindowLongA 3626->3629 3630 403bb4 3626->3630 3627->3616 3631 403cf3 3628->3631 3629->3641 3635 403bc0 GetDlgItem 3630->3635 3636 403c2b 3630->3636 3631->3620 3632 403cf7 SendMessageA 3631->3632 3632->3641 3633 40140b 2 API calls 3633->3649 3634 403f7b DestroyWindow EndDialog 3634->3678 3639 403bf0 3635->3639 3640 403bd3 SendMessageA IsWindowEnabled 3635->3640 3637 404057 8 API calls 3636->3637 3637->3641 3638 403faa ShowWindow 3638->3641 3643 403bfd 3639->3643 3644 403c44 SendMessageA 3639->3644 3645 403c10 3639->3645 3653 403bf5 3639->3653 3640->3639 3640->3641 3642 405d24 18 API calls 3642->3649 3643->3644 3643->3653 3644->3636 3647 403c18 3645->3647 3648 403c2d 3645->3648 3650 40140b 2 API calls 3647->3650 3651 40140b 2 API calls 3648->3651 3649->3633 3649->3634 3649->3641 3649->3642 3652 403ff0 19 API calls 3649->3652 3654 403ff0 19 API calls 3649->3654 3669 403ebb DestroyWindow 3649->3669 3650->3653 3651->3653 3652->3649 3653->3636 3679 403fc9 3653->3679 3655 403da8 GetDlgItem 3654->3655 3656 403dc5 ShowWindow EnableWindow 3655->3656 3657 403dbd 3655->3657 3682 404012 EnableWindow 3656->3682 3657->3656 3659 403def EnableWindow 3663 403e03 3659->3663 3660 403e08 GetSystemMenu EnableMenuItem SendMessageA 3661 403e38 SendMessageA 3660->3661 3660->3663 3661->3663 3663->3660 3683 404025 SendMessageA 3663->3683 3684 405d02 lstrcpynA 3663->3684 3665 403e66 lstrlenA 3666 405d24 18 API calls 3665->3666 3667 403e77 SetWindowTextA 3666->3667 3668 401389 2 API calls 3667->3668 3668->3649 3670 403ed5 CreateDialogParamA 3669->3670 3669->3678 3671 403f08 3670->3671 3670->3678 3672 403ff0 19 API calls 3671->3672 3673 403f13 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3672->3673 3674 401389 2 API calls 3673->3674 3675 403f59 3674->3675 3675->3641 3676 403f61 ShowWindow 3675->3676 3677 40403c SendMessageA 3676->3677 3677->3678 3678->3638 3678->3641 3680 403fd0 3679->3680 3681 403fd6 SendMessageA 3679->3681 3680->3681 3681->3636 3682->3659 3683->3663 3684->3665 3685 40231e 3686 402324 3685->3686 3687 4029ff 18 API calls 3686->3687 3688 402336 3687->3688 3689 4029ff 18 API calls 3688->3689 3690 402340 RegCreateKeyExA 3689->3690 3691 402894 3690->3691 3692 40236a 3690->3692 3693 402382 3692->3693 3694 4029ff 18 API calls 3692->3694 3695 40238e 3693->3695 3697 4029e2 18 API calls 3693->3697 3696 40237b lstrlenA 3694->3696 3698 4023a9 RegSetValueExA 3695->3698 3699 402f43 42 API calls 3695->3699 3696->3693 3697->3695 3700 4023bf RegCloseKey 3698->3700 3699->3698 3700->3691 3702 40261e 3703 402621 3702->3703 3706 402639 3702->3706 3704 40262e FindNextFileA 3703->3704 3705 402678 3704->3705 3704->3706 3708 405d02 lstrcpynA 3705->3708 3708->3706 3709 4016a1 3710 4029ff 18 API calls 3709->3710 3711 4016a7 GetFullPathNameA 3710->3711 3712 4016df 3711->3712 3713 4016be 3711->3713 3714 4016f3 GetShortPathNameA 3712->3714 3715 402894 3712->3715 3713->3712 3716 406006 2 API calls 3713->3716 3714->3715 3717 4016cf 3716->3717 3717->3712 3719 405d02 lstrcpynA 3717->3719 3719->3712 3720 401d26 GetDC GetDeviceCaps 3721 4029e2 18 API calls 3720->3721 3722 401d44 MulDiv ReleaseDC 3721->3722 3723 4029e2 18 API calls 3722->3723 3724 401d63 3723->3724 3725 405d24 18 API calls 3724->3725 3726 401d9c CreateFontIndirectA 3725->3726 3727 4024cd 3726->3727 3728 40512b 3729 4052d8 3728->3729 3730 40514d GetDlgItem GetDlgItem GetDlgItem 3728->3730 3732 4052e0 GetDlgItem CreateThread CloseHandle 3729->3732 3733 405308 3729->3733 3773 404025 SendMessageA 3730->3773 3732->3733 3735 405357 3733->3735 3736 40531e ShowWindow ShowWindow 3733->3736 3738 405336 3733->3738 3734 4051be 3739 4051c5 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3734->3739 3743 404057 8 API calls 3735->3743 3775 404025 SendMessageA 3736->3775 3737 405391 3737->3735 3748 40539e SendMessageA 3737->3748 3738->3737 3741 405346 3738->3741 3742 40536a ShowWindow 3738->3742 3746 405234 3739->3746 3747 405218 SendMessageA SendMessageA 3739->3747 3749 403fc9 SendMessageA 3741->3749 3744 40538a 3742->3744 3745 40537c 3742->3745 3750 405363 3743->3750 3752 403fc9 SendMessageA 3744->3752 3751 404fed 25 API calls 3745->3751 3753 405247 3746->3753 3754 405239 SendMessageA 3746->3754 3747->3746 3748->3750 3755 4053b7 CreatePopupMenu 3748->3755 3749->3735 3751->3744 3752->3737 3757 403ff0 19 API calls 3753->3757 3754->3753 3756 405d24 18 API calls 3755->3756 3758 4053c7 AppendMenuA 3756->3758 3759 405257 3757->3759 3760 4053e5 GetWindowRect 3758->3760 3761 4053f8 TrackPopupMenu 3758->3761 3762 405260 ShowWindow 3759->3762 3763 405294 GetDlgItem SendMessageA 3759->3763 3760->3761 3761->3750 3765 405414 3761->3765 3766 405283 3762->3766 3767 405276 ShowWindow 3762->3767 3763->3750 3764 4052bb SendMessageA SendMessageA 3763->3764 3764->3750 3768 405433 SendMessageA 3765->3768 3774 404025 SendMessageA 3766->3774 3767->3766 3768->3768 3769 405450 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3768->3769 3771 405472 SendMessageA 3769->3771 3771->3771 3772 405494 GlobalUnlock SetClipboardData CloseClipboard 3771->3772 3772->3750 3773->3734 3774->3763 3775->3738 3185 40172c 3186 4029ff 18 API calls 3185->3186 3187 401733 3186->3187 3188 4059c2 2 API calls 3187->3188 3189 40173a 3188->3189 3190 4059c2 2 API calls 3189->3190 3190->3189 3776 401dac 3777 4029e2 18 API calls 3776->3777 3778 401db2 3777->3778 3779 4029e2 18 API calls 3778->3779 3780 401dbb 3779->3780 3781 401dc2 ShowWindow 3780->3781 3782 401dcd EnableWindow 3780->3782 3783 402894 3781->3783 3782->3783 3784 401eac 3785 4029ff 18 API calls 3784->3785 3786 401eb3 3785->3786 3787 406006 2 API calls 3786->3787 3788 401eb9 3787->3788 3790 401ecb 3788->3790 3791 405c60 wsprintfA 3788->3791 3791->3790 3792 40192d 3793 4029ff 18 API calls 3792->3793 3794 401934 lstrlenA 3793->3794 3795 4024cd 3794->3795 3796 40442e 3797 40445a 3796->3797 3798 40446b 3796->3798 3857 4054fa GetDlgItemTextA 3797->3857 3800 404477 GetDlgItem 3798->3800 3806 4044d6 3798->3806 3803 40448b 3800->3803 3801 4045ba 3854 404755 3801->3854 3859 4054fa GetDlgItemTextA 3801->3859 3802 404465 3804 405f6d 5 API calls 3802->3804 3805 40449f SetWindowTextA 3803->3805 3808 40582b 4 API calls 3803->3808 3804->3798 3809 403ff0 19 API calls 3805->3809 3806->3801 3810 405d24 18 API calls 3806->3810 3806->3854 3814 404495 3808->3814 3815 4044bb 3809->3815 3816 40454a SHBrowseForFolderA 3810->3816 3811 4045ea 3817 405880 18 API calls 3811->3817 3812 404057 8 API calls 3813 404769 3812->3813 3814->3805 3821 405792 3 API calls 3814->3821 3818 403ff0 19 API calls 3815->3818 3816->3801 3819 404562 CoTaskMemFree 3816->3819 3820 4045f0 3817->3820 3822 4044c9 3818->3822 3823 405792 3 API calls 3819->3823 3860 405d02 lstrcpynA 3820->3860 3821->3805 3858 404025 SendMessageA 3822->3858 3825 40456f 3823->3825 3828 4045a6 SetDlgItemTextA 3825->3828 3832 405d24 18 API calls 3825->3832 3827 4044cf 3830 40602d 3 API calls 3827->3830 3828->3801 3829 404607 3831 40602d 3 API calls 3829->3831 3830->3806 3838 40460f 3831->3838 3834 40458e lstrcmpiA 3832->3834 3833 404649 3861 405d02 lstrcpynA 3833->3861 3834->3828 3835 40459f lstrcatA 3834->3835 3835->3828 3837 404650 3839 40582b 4 API calls 3837->3839 3838->3833 3843 4057d9 2 API calls 3838->3843 3844 40469a 3838->3844 3840 404656 GetDiskFreeSpaceA 3839->3840 3842 404678 MulDiv 3840->3842 3840->3844 3842->3844 3843->3838 3845 4047d6 21 API calls 3844->3845 3855 404704 3844->3855 3847 4046f6 3845->3847 3846 40140b 2 API calls 3848 404727 3846->3848 3850 404706 SetDlgItemTextA 3847->3850 3851 4046fb 3847->3851 3862 404012 EnableWindow 3848->3862 3850->3855 3853 4047d6 21 API calls 3851->3853 3852 404743 3852->3854 3863 4043c3 3852->3863 3853->3855 3854->3812 3855->3846 3855->3848 3857->3802 3858->3827 3859->3811 3860->3829 3861->3837 3862->3852 3864 4043d1 3863->3864 3865 4043d6 SendMessageA 3863->3865 3864->3865 3865->3854 3866 401cb0 3867 4029e2 18 API calls 3866->3867 3868 401cc0 SetWindowLongA 3867->3868 3869 402894 3868->3869 3870 401a31 3871 4029e2 18 API calls 3870->3871 3872 401a37 3871->3872 3873 4029e2 18 API calls 3872->3873 3874 4019e1 3873->3874 3875 4024b1 3876 4029ff 18 API calls 3875->3876 3877 4024b8 3876->3877 3880 405993 GetFileAttributesA CreateFileA 3877->3880 3879 4024c4 3880->3879 3881 401e32 3882 4029ff 18 API calls 3881->3882 3883 401e38 3882->3883 3884 404fed 25 API calls 3883->3884 3885 401e42 3884->3885 3886 4054b5 2 API calls 3885->3886 3890 401e48 3886->3890 3887 401e9e CloseHandle 3889 402665 3887->3889 3888 401e67 WaitForSingleObject 3888->3890 3891 401e75 GetExitCodeProcess 3888->3891 3890->3887 3890->3888 3890->3889 3892 406066 2 API calls 3890->3892 3893 401e90 3891->3893 3894 401e87 3891->3894 3892->3888 3893->3887 3896 405c60 wsprintfA 3894->3896 3896->3893 2637 4015b3 2655 4029ff 2637->2655 2641 40160a 2643 401638 2641->2643 2644 40160f 2641->2644 2648 401423 25 API calls 2643->2648 2671 401423 2644->2671 2647 4015e5 GetLastError 2650 4015f2 GetFileAttributesA 2647->2650 2651 4015c2 2647->2651 2654 401630 2648->2654 2650->2651 2651->2641 2667 4057bd 2651->2667 2653 401621 SetCurrentDirectoryA 2653->2654 2656 402a0b 2655->2656 2675 405d24 2656->2675 2659 4015ba 2661 40582b CharNextA CharNextA 2659->2661 2662 405846 2661->2662 2666 405856 2661->2666 2663 405851 CharNextA 2662->2663 2662->2666 2664 405876 2663->2664 2664->2651 2665 4057bd CharNextA 2665->2666 2666->2664 2666->2665 2668 4057c3 2667->2668 2669 4015d0 CreateDirectoryA 2668->2669 2670 4057c9 CharNextA 2668->2670 2669->2647 2669->2651 2670->2668 2710 404fed 2671->2710 2674 405d02 lstrcpynA 2674->2653 2688 405d31 2675->2688 2676 405f54 2677 402a2c 2676->2677 2709 405d02 lstrcpynA 2676->2709 2677->2659 2693 405f6d 2677->2693 2679 405dd2 GetVersion 2679->2688 2680 405f2b lstrlenA 2680->2688 2683 405d24 10 API calls 2683->2680 2684 405e4a GetSystemDirectoryA 2684->2688 2686 405e5d GetWindowsDirectoryA 2686->2688 2687 405f6d 5 API calls 2687->2688 2688->2676 2688->2679 2688->2680 2688->2683 2688->2684 2688->2686 2688->2687 2689 405e91 SHGetSpecialFolderLocation 2688->2689 2690 405d24 10 API calls 2688->2690 2691 405ed4 lstrcatA 2688->2691 2702 405be9 RegOpenKeyExA 2688->2702 2707 405c60 wsprintfA 2688->2707 2708 405d02 lstrcpynA 2688->2708 2689->2688 2692 405ea9 SHGetPathFromIDListA CoTaskMemFree 2689->2692 2690->2688 2691->2688 2692->2688 2699 405f79 2693->2699 2694 405fe1 2695 405fe5 CharPrevA 2694->2695 2697 406000 2694->2697 2695->2694 2696 405fd6 CharNextA 2696->2694 2696->2699 2697->2659 2698 4057bd CharNextA 2698->2699 2699->2694 2699->2696 2699->2698 2700 405fc4 CharNextA 2699->2700 2701 405fd1 CharNextA 2699->2701 2700->2699 2701->2696 2703 405c5a 2702->2703 2704 405c1c RegQueryValueExA 2702->2704 2703->2688 2705 405c3d RegCloseKey 2704->2705 2705->2703 2707->2688 2708->2688 2709->2677 2712 405008 2710->2712 2720 401431 2710->2720 2711 405025 lstrlenA 2714 405033 lstrlenA 2711->2714 2715 40504e 2711->2715 2712->2711 2713 405d24 18 API calls 2712->2713 2713->2711 2716 405045 lstrcatA 2714->2716 2714->2720 2717 405061 2715->2717 2718 405054 SetWindowTextA 2715->2718 2716->2715 2719 405067 SendMessageA SendMessageA SendMessageA 2717->2719 2717->2720 2718->2717 2719->2720 2720->2674 3897 402036 3898 4029ff 18 API calls 3897->3898 3899 40203d 3898->3899 3900 4029ff 18 API calls 3899->3900 3901 402047 3900->3901 3902 4029ff 18 API calls 3901->3902 3903 402051 3902->3903 3904 4029ff 18 API calls 3903->3904 3905 40205b 3904->3905 3906 4029ff 18 API calls 3905->3906 3907 402065 3906->3907 3908 40207b CoCreateInstance 3907->3908 3909 4029ff 18 API calls 3907->3909 3912 40209a 3908->3912 3914 40214f 3908->3914 3909->3908 3910 401423 25 API calls 3911 402183 3910->3911 3913 402131 MultiByteToWideChar 3912->3913 3912->3914 3913->3914 3914->3910 3914->3911 3915 4014b7 3916 4014bd 3915->3916 3917 401389 2 API calls 3916->3917 3918 4014c5 3917->3918 3919 401bb8 3920 4029e2 18 API calls 3919->3920 3921 401bbf 3920->3921 3922 4029e2 18 API calls 3921->3922 3923 401bc9 3922->3923 3924 401bd9 3923->3924 3925 4029ff 18 API calls 3923->3925 3926 401be9 3924->3926 3927 4029ff 18 API calls 3924->3927 3925->3924 3928 401bf4 3926->3928 3929 401c38 3926->3929 3927->3926 3931 4029e2 18 API calls 3928->3931 3930 4029ff 18 API calls 3929->3930 3932 401c3d 3930->3932 3933 401bf9 3931->3933 3934 4029ff 18 API calls 3932->3934 3935 4029e2 18 API calls 3933->3935 3936 401c46 FindWindowExA 3934->3936 3937 401c02 3935->3937 3940 401c64 3936->3940 3938 401c28 SendMessageA 3937->3938 3939 401c0a SendMessageTimeoutA 3937->3939 3938->3940 3939->3940 3941 404139 3942 40414f 3941->3942 3949 40425b 3941->3949 3944 403ff0 19 API calls 3942->3944 3943 4042ca 3945 4042d4 GetDlgItem 3943->3945 3946 40439e 3943->3946 3947 4041a5 3944->3947 3948 4042ea 3945->3948 3952 40435c 3945->3952 3951 404057 8 API calls 3946->3951 3950 403ff0 19 API calls 3947->3950 3948->3952 3957 404310 6 API calls 3948->3957 3949->3943 3949->3946 3953 40429f GetDlgItem SendMessageA 3949->3953 3955 4041b2 CheckDlgButton 3950->3955 3956 404399 3951->3956 3952->3946 3958 40436e 3952->3958 3972 404012 EnableWindow 3953->3972 3970 404012 EnableWindow 3955->3970 3957->3952 3961 404374 SendMessageA 3958->3961 3962 404385 3958->3962 3959 4042c5 3963 4043c3 SendMessageA 3959->3963 3961->3962 3962->3956 3965 40438b SendMessageA 3962->3965 3963->3943 3964 4041d0 GetDlgItem 3971 404025 SendMessageA 3964->3971 3965->3956 3967 4041e6 SendMessageA 3968 404204 GetSysColor 3967->3968 3969 40420d SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3967->3969 3968->3969 3969->3956 3970->3964 3971->3967 3972->3959 2900 40323b #17 SetErrorMode OleInitialize 2901 40602d 3 API calls 2900->2901 2902 403280 SHGetFileInfoA 2901->2902 2973 405d02 lstrcpynA 2902->2973 2904 4032ab GetCommandLineA 2974 405d02 lstrcpynA 2904->2974 2906 4032bd GetModuleHandleA 2907 4032d4 2906->2907 2908 4057bd CharNextA 2907->2908 2909 4032e8 CharNextA 2908->2909 2918 4032f8 2909->2918 2910 4033c2 2911 4033d5 GetTempPathA 2910->2911 2975 403207 2911->2975 2913 4033ed 2915 4033f1 GetWindowsDirectoryA lstrcatA 2913->2915 2916 403447 DeleteFileA 2913->2916 2914 4057bd CharNextA 2914->2918 2919 403207 11 API calls 2915->2919 2983 402c7b GetTickCount GetModuleFileNameA 2916->2983 2918->2910 2918->2914 2920 4033c4 2918->2920 2922 40340d 2919->2922 3067 405d02 lstrcpynA 2920->3067 2921 40345b 2923 4034f5 ExitProcess OleUninitialize 2921->2923 2932 4057bd CharNextA 2921->2932 2961 4034e1 2921->2961 2922->2916 2925 403411 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 2922->2925 2927 40350a 2923->2927 2928 4035fe 2923->2928 2926 403207 11 API calls 2925->2926 2929 40343f 2926->2929 3070 405516 2927->3070 2930 403681 ExitProcess 2928->2930 2934 40602d 3 API calls 2928->2934 2929->2916 2929->2923 2937 403476 2932->2937 2939 40360d 2934->2939 2941 403520 lstrcatA lstrcmpiA 2937->2941 2942 4034bc 2937->2942 2940 40602d 3 API calls 2939->2940 2943 403616 2940->2943 2941->2923 2944 40353c CreateDirectoryA SetCurrentDirectoryA 2941->2944 2945 405880 18 API calls 2942->2945 2946 40602d 3 API calls 2943->2946 2947 403553 2944->2947 2948 40355e 2944->2948 2949 4034c7 2945->2949 2951 40361f 2946->2951 3074 405d02 lstrcpynA 2947->3074 3075 405d02 lstrcpynA 2948->3075 2949->2923 3068 405d02 lstrcpynA 2949->3068 2954 40366d ExitWindowsEx 2951->2954 2960 40362d GetCurrentProcess 2951->2960 2954->2930 2956 40367a 2954->2956 2955 4034d6 3069 405d02 lstrcpynA 2955->3069 3079 40140b 2956->3079 2958 405d24 18 API calls 2962 40359d DeleteFileA 2958->2962 2964 40363d 2960->2964 3012 40378b 2961->3012 2963 4035aa CopyFileA 2962->2963 2970 40356c 2962->2970 2963->2970 2964->2954 2965 4035f2 2966 405bb6 40 API calls 2965->2966 2968 4035f9 2966->2968 2967 405bb6 40 API calls 2967->2970 2968->2923 2969 405d24 18 API calls 2969->2970 2970->2958 2970->2965 2970->2967 2970->2969 2972 4035de CloseHandle 2970->2972 3076 4054b5 CreateProcessA 2970->3076 2972->2970 2973->2904 2974->2906 2976 405f6d 5 API calls 2975->2976 2978 403213 2976->2978 2977 40321d 2977->2913 2978->2977 2979 405792 3 API calls 2978->2979 2980 403225 CreateDirectoryA 2979->2980 3082 4059c2 2980->3082 3086 405993 GetFileAttributesA CreateFileA 2983->3086 2985 402cbe 3011 402ccb 2985->3011 3087 405d02 lstrcpynA 2985->3087 2987 402ce1 2988 4057d9 2 API calls 2987->2988 2989 402ce7 2988->2989 3088 405d02 lstrcpynA 2989->3088 2991 402cf2 GetFileSize 2992 402df3 2991->2992 3010 402d09 2991->3010 3089 402bdc 2992->3089 2996 402eb2 2999 402bdc 33 API calls 2996->2999 2997 402e36 GlobalAlloc 2998 4059c2 2 API calls 2997->2998 3001 402e82 CreateFileA 2998->3001 2999->3011 3003 402ebc 3001->3003 3001->3011 3002 402e17 3004 4031da ReadFile 3002->3004 3104 4031f0 SetFilePointer 3003->3104 3007 402e22 3004->3007 3005 402bdc 33 API calls 3005->3010 3007->2997 3007->3011 3008 402eca 3105 402f43 3008->3105 3010->2992 3010->2996 3010->3005 3010->3011 3120 4031da 3010->3120 3011->2921 3013 40602d 3 API calls 3012->3013 3014 40379f 3013->3014 3015 4037a5 3014->3015 3016 4037b7 3014->3016 3153 405c60 wsprintfA 3015->3153 3017 405be9 3 API calls 3016->3017 3018 4037e2 3017->3018 3020 403800 lstrcatA 3018->3020 3022 405be9 3 API calls 3018->3022 3021 4037b5 3020->3021 3144 403a50 3021->3144 3022->3020 3025 405880 18 API calls 3026 403832 3025->3026 3027 4038bb 3026->3027 3030 405be9 3 API calls 3026->3030 3028 405880 18 API calls 3027->3028 3029 4038c1 3028->3029 3032 4038d1 LoadImageA 3029->3032 3033 405d24 18 API calls 3029->3033 3031 40385e 3030->3031 3031->3027 3036 40387a lstrlenA 3031->3036 3040 4057bd CharNextA 3031->3040 3034 403977 3032->3034 3035 4038f8 RegisterClassA 3032->3035 3033->3032 3039 40140b 2 API calls 3034->3039 3037 4034f1 3035->3037 3038 40392e SystemParametersInfoA CreateWindowExA 3035->3038 3041 403888 lstrcmpiA 3036->3041 3042 4038ae 3036->3042 3037->2923 3038->3034 3043 40397d 3039->3043 3044 403878 3040->3044 3041->3042 3045 403898 GetFileAttributesA 3041->3045 3046 405792 3 API calls 3042->3046 3043->3037 3048 403a50 19 API calls 3043->3048 3044->3036 3047 4038a4 3045->3047 3049 4038b4 3046->3049 3047->3042 3050 4057d9 2 API calls 3047->3050 3051 40398e 3048->3051 3154 405d02 lstrcpynA 3049->3154 3050->3042 3053 40399a ShowWindow LoadLibraryA 3051->3053 3054 403a1d 3051->3054 3056 4039c0 GetClassInfoA 3053->3056 3057 4039b9 LoadLibraryA 3053->3057 3155 4050bf OleInitialize 3054->3155 3058 4039d4 GetClassInfoA RegisterClassA 3056->3058 3059 4039ea DialogBoxParamA 3056->3059 3057->3056 3058->3059 3061 40140b 2 API calls 3059->3061 3060 403a23 3062 403a27 3060->3062 3063 403a3f 3060->3063 3064 403a12 3061->3064 3062->3037 3066 40140b 2 API calls 3062->3066 3065 40140b 2 API calls 3063->3065 3064->3037 3065->3037 3066->3037 3067->2911 3068->2955 3069->2961 3071 40552b 3070->3071 3072 403518 ExitProcess 3071->3072 3073 40553f MessageBoxIndirectA 3071->3073 3073->3072 3074->2948 3075->2970 3077 4054f0 3076->3077 3078 4054e4 CloseHandle 3076->3078 3077->2970 3078->3077 3080 401389 2 API calls 3079->3080 3081 401420 3080->3081 3081->2930 3083 4059cd GetTickCount GetTempFileNameA 3082->3083 3084 4059fa 3083->3084 3085 403239 3083->3085 3084->3083 3084->3085 3085->2913 3086->2985 3087->2987 3088->2991 3090 402c02 3089->3090 3091 402bea 3089->3091 3094 402c12 GetTickCount 3090->3094 3095 402c0a 3090->3095 3092 402bf3 DestroyWindow 3091->3092 3093 402bfa 3091->3093 3092->3093 3093->2997 3093->3011 3123 4031f0 SetFilePointer 3093->3123 3094->3093 3097 402c20 3094->3097 3124 406066 3095->3124 3098 402c55 CreateDialogParamA ShowWindow 3097->3098 3099 402c28 3097->3099 3098->3093 3099->3093 3128 402bc0 3099->3128 3101 402c36 wsprintfA 3102 404fed 25 API calls 3101->3102 3103 402c53 3102->3103 3103->3093 3104->3008 3106 402f53 SetFilePointer 3105->3106 3107 402f6f 3105->3107 3106->3107 3131 40305e GetTickCount 3107->3131 3110 40301a 3110->3011 3111 405a0b ReadFile 3112 402f8f 3111->3112 3112->3110 3113 40305e 39 API calls 3112->3113 3114 402fa6 3113->3114 3114->3110 3115 403020 ReadFile 3114->3115 3117 402fb6 3114->3117 3115->3110 3117->3110 3118 405a0b ReadFile 3117->3118 3119 402fe9 WriteFile 3117->3119 3118->3117 3119->3110 3119->3117 3121 405a0b ReadFile 3120->3121 3122 4031ed 3121->3122 3122->3010 3123->3002 3125 406083 PeekMessageA 3124->3125 3126 406093 3125->3126 3127 406079 DispatchMessageA 3125->3127 3126->3093 3127->3125 3129 402bd1 MulDiv 3128->3129 3130 402bcf 3128->3130 3129->3101 3130->3129 3132 4031c8 3131->3132 3133 40308d 3131->3133 3134 402bdc 33 API calls 3132->3134 3143 4031f0 SetFilePointer 3133->3143 3140 402f76 3134->3140 3136 403098 SetFilePointer 3139 4030bd 3136->3139 3137 4031da ReadFile 3137->3139 3138 402bdc 33 API calls 3138->3139 3139->3137 3139->3138 3139->3140 3141 403152 WriteFile 3139->3141 3142 4031a9 SetFilePointer 3139->3142 3140->3110 3140->3111 3141->3139 3141->3140 3142->3132 3143->3136 3145 403a64 3144->3145 3162 405c60 wsprintfA 3145->3162 3147 403ad5 3148 405d24 18 API calls 3147->3148 3149 403ae1 SetWindowTextA 3148->3149 3150 403810 3149->3150 3151 403afd 3149->3151 3150->3025 3151->3150 3152 405d24 18 API calls 3151->3152 3152->3151 3153->3021 3154->3027 3163 40403c 3155->3163 3157 405109 3158 40403c SendMessageA 3157->3158 3160 40511b OleUninitialize 3158->3160 3159 4050e2 3159->3157 3166 401389 3159->3166 3160->3060 3162->3147 3164 404054 3163->3164 3165 404045 SendMessageA 3163->3165 3164->3159 3165->3164 3168 401390 3166->3168 3167 4013fe 3167->3159 3168->3167 3169 4013cb MulDiv SendMessageA 3168->3169 3169->3168 3973 40243c 3974 402b09 19 API calls 3973->3974 3975 402446 3974->3975 3976 4029e2 18 API calls 3975->3976 3977 40244f 3976->3977 3978 402472 RegEnumValueA 3977->3978 3979 402466 RegEnumKeyA 3977->3979 3980 402665 3977->3980 3978->3980 3981 40248b RegCloseKey 3978->3981 3979->3981 3981->3980 3983 40223d 3984 402245 3983->3984 3986 40224b 3983->3986 3985 4029ff 18 API calls 3984->3985 3985->3986 3987 4029ff 18 API calls 3986->3987 3990 40225b 3986->3990 3987->3990 3988 4029ff 18 API calls 3991 402269 3988->3991 3989 4029ff 18 API calls 3992 402272 WritePrivateProfileStringA 3989->3992 3990->3988 3990->3991 3991->3989 3191 40173f 3192 4029ff 18 API calls 3191->3192 3193 401746 3192->3193 3194 401764 3193->3194 3195 40176c 3193->3195 3230 405d02 lstrcpynA 3194->3230 3231 405d02 lstrcpynA 3195->3231 3198 401777 3200 405792 3 API calls 3198->3200 3199 40176a 3202 405f6d 5 API calls 3199->3202 3201 40177d lstrcatA 3200->3201 3201->3199 3215 401789 3202->3215 3203 406006 2 API calls 3203->3215 3204 40596e 2 API calls 3204->3215 3206 4017a0 CompareFileTime 3206->3215 3207 401864 3208 404fed 25 API calls 3207->3208 3211 40186e 3208->3211 3209 404fed 25 API calls 3212 401850 3209->3212 3210 405d02 lstrcpynA 3210->3215 3213 402f43 42 API calls 3211->3213 3214 401881 3213->3214 3216 401895 SetFileTime 3214->3216 3218 4018a7 FindCloseChangeNotification 3214->3218 3215->3203 3215->3204 3215->3206 3215->3207 3215->3210 3217 405d24 18 API calls 3215->3217 3226 405516 MessageBoxIndirectA 3215->3226 3227 40183b 3215->3227 3229 405993 GetFileAttributesA CreateFileA 3215->3229 3216->3218 3217->3215 3218->3212 3219 4018b8 3218->3219 3220 4018d0 3219->3220 3221 4018bd 3219->3221 3223 405d24 18 API calls 3220->3223 3222 405d24 18 API calls 3221->3222 3224 4018c5 lstrcatA 3222->3224 3225 4018d8 3223->3225 3224->3225 3228 405516 MessageBoxIndirectA 3225->3228 3226->3215 3227->3209 3227->3212 3228->3212 3229->3215 3230->3199 3231->3198 3993 40163f 3994 4029ff 18 API calls 3993->3994 3995 401645 3994->3995 3996 406006 2 API calls 3995->3996 3997 40164b 3996->3997 3998 40193f 3999 4029e2 18 API calls 3998->3999 4000 401946 3999->4000 4001 4029e2 18 API calls 4000->4001 4002 401950 4001->4002 4003 4029ff 18 API calls 4002->4003 4004 401959 4003->4004 4005 40196c lstrlenA 4004->4005 4006 4019a7 4004->4006 4007 401976 4005->4007 4007->4006 4011 405d02 lstrcpynA 4007->4011 4009 401990 4009->4006 4010 40199d lstrlenA 4009->4010 4010->4006 4011->4009

                      Executed Functions

                      Function 0040323B Relevance: 82.6, APIs: 28, Strings: 19, Instructions: 324stringfilecomCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 40323b-4032d2 #17 SetErrorMode OleInitialize call 40602d SHGetFileInfoA call 405d02 GetCommandLineA call 405d02 GetModuleHandleA 7 4032d4-4032d9 0->7 8 4032de-4032f3 call 4057bd CharNextA 0->8 7->8 11 4033b8-4033bc 8->11 12 4033c2 11->12 13 4032f8-4032fb 11->13 16 4033d5-4033ef GetTempPathA call 403207 12->16 14 403303-40330b 13->14 15 4032fd-403301 13->15 17 403313-403316 14->17 18 40330d-40330e 14->18 15->14 15->15 26 4033f1-40340f GetWindowsDirectoryA lstrcatA call 403207 16->26 27 403447-403461 DeleteFileA call 402c7b 16->27 20 4033a8-4033b5 call 4057bd 17->20 21 40331c-403320 17->21 18->17 20->11 36 4033b7 20->36 24 403322-403328 21->24 25 403338-403365 21->25 30 40332a-40332c 24->30 31 40332e 24->31 32 403367-40336d 25->32 33 403378-4033a6 25->33 26->27 44 403411-403441 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 403207 26->44 41 4034f5-403504 ExitProcess OleUninitialize 27->41 42 403467-40346d 27->42 30->25 30->31 31->25 38 403373 32->38 39 40336f-403371 32->39 33->20 35 4033c4-4033d0 call 405d02 33->35 35->16 36->11 38->33 39->33 39->38 48 40350a-40351a call 405516 ExitProcess 41->48 49 4035fe-403604 41->49 46 4034e5-4034ec call 40378b 42->46 47 40346f-40347a call 4057bd 42->47 44->27 44->41 57 4034f1 46->57 63 4034b0-4034ba 47->63 64 40347c-4034a5 47->64 51 403681-403689 49->51 52 403606-403623 call 40602d * 3 49->52 58 40368b 51->58 59 40368f-403693 ExitProcess 51->59 83 403625-403627 52->83 84 40366d-403678 ExitWindowsEx 52->84 57->41 58->59 67 403520-40353a lstrcatA lstrcmpiA 63->67 68 4034bc-4034c9 call 405880 63->68 66 4034a7-4034a9 64->66 66->63 70 4034ab-4034ae 66->70 67->41 71 40353c-403551 CreateDirectoryA SetCurrentDirectoryA 67->71 68->41 77 4034cb-4034e1 call 405d02 * 2 68->77 70->63 70->66 74 403553-403559 call 405d02 71->74 75 40355e-403586 call 405d02 71->75 74->75 86 40358c-4035a8 call 405d24 DeleteFileA 75->86 77->46 83->84 88 403629-40362b 83->88 84->51 87 40367a-40367c call 40140b 84->87 95 4035e9-4035f0 86->95 96 4035aa-4035ba CopyFileA 86->96 87->51 88->84 92 40362d-40363f GetCurrentProcess 88->92 92->84 99 403641-403663 92->99 95->86 98 4035f2-4035f9 call 405bb6 95->98 96->95 100 4035bc-4035dc call 405bb6 call 405d24 call 4054b5 96->100 98->41 99->84 100->95 110 4035de-4035e5 CloseHandle 100->110 110->95
                      APIs
                      • #17.COMCTL32 ref: 0040325C
                      • SetErrorMode.KERNELBASE(00008001), ref: 00403267
                      • OleInitialize.OLE32(00000000), ref: 0040326E
                        • Part of subcall function 0040602D: GetModuleHandleA.KERNEL32(?,?,?,00403280,00000008), ref: 0040603F
                        • Part of subcall function 0040602D: LoadLibraryA.KERNELBASE(?,?,?,00403280,00000008), ref: 0040604A
                        • Part of subcall function 0040602D: GetProcAddress.KERNEL32(00000000,?), ref: 0040605B
                      • SHGetFileInfoA.SHELL32(00428800,00000000,?,00000160,00000000,00000008), ref: 00403296
                        • Part of subcall function 00405D02: lstrcpynA.KERNEL32(?,?,00000400,004032AB,rexzxxkPJ 1.0.1 Setup,NSIS Error), ref: 00405D0F
                      • GetCommandLineA.KERNEL32(rexzxxkPJ 1.0.1 Setup,NSIS Error), ref: 004032AB
                      • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe",00000000), ref: 004032BE
                      • CharNextA.USER32(00000000,"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe",00000020), ref: 004032E9
                      • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004033E6
                      • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004033F7
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403403
                      • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403417
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040341F
                      • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403430
                      • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403438
                      • DeleteFileA.KERNELBASE(1033), ref: 0040344C
                      • ExitProcess.KERNEL32(?), ref: 004034F5
                      • OleUninitialize.OLE32(?), ref: 004034FA
                      • ExitProcess.KERNEL32 ref: 0040351A
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe",00000000,?), ref: 00403526
                      • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403532
                      • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040353E
                      • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403545
                      • DeleteFileA.KERNEL32(00428400,00428400,?,0042F000,?), ref: 0040359E
                      • CopyFileA.KERNEL32(C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe,00428400,00000001), ref: 004035B2
                      • CloseHandle.KERNEL32(00000000,00428400,00428400,?,00428400,00000000), ref: 004035DF
                      • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403634
                      • ExitWindowsEx.USER32(00000002,00000000), ref: 00403670
                      • ExitProcess.KERNEL32 ref: 00403693
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: ExitFileProcess$DirectoryHandlelstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                      • String ID: "$"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe"$1033$C:\Program Files (x86)\Common Files\System$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$`Kpu$rexzxxkPJ 1.0.1 Setup$~nsu.tmp
                      • API String ID: 2762237255-1887977825
                      • Opcode ID: 5b87fa5d4756ce226a3b8df940b002fe7ff4e0e197507c11ec0778e8f3107516
                      • Instruction ID: d9de55ced03d06ff64f53c5bfa362ea264d87c80c3b3ae8b3997c58b3daabcf8
                      • Opcode Fuzzy Hash: 5b87fa5d4756ce226a3b8df940b002fe7ff4e0e197507c11ec0778e8f3107516
                      • Instruction Fuzzy Hash: C9B107706083416AE7216F659C4DB2B3EECAF45306F04447FF581BA1E2C77C9A058B6E
                      Function 00405D24 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 251 405d24-405d2f 252 405d31-405d40 251->252 253 405d42-405d57 251->253 252->253 254 405f4a-405f4e 253->254 255 405d5d-405d68 253->255 256 405f54-405f5e 254->256 257 405d7a-405d84 254->257 255->254 258 405d6e-405d75 255->258 259 405f60-405f64 call 405d02 256->259 260 405f69-405f6a 256->260 257->256 261 405d8a-405d91 257->261 258->254 259->260 263 405d97-405dcc 261->263 264 405f3d 261->264 265 405dd2-405ddd GetVersion 263->265 266 405ee7-405eea 263->266 267 405f47-405f49 264->267 268 405f3f-405f45 264->268 269 405df7 265->269 270 405ddf-405de3 265->270 271 405f1a-405f1d 266->271 272 405eec-405eef 266->272 267->254 268->254 276 405dfe-405e05 269->276 270->269 273 405de5-405de9 270->273 277 405f2b-405f3b lstrlenA 271->277 278 405f1f-405f26 call 405d24 271->278 274 405ef1-405efd call 405c60 272->274 275 405eff-405f0b call 405d02 272->275 273->269 279 405deb-405def 273->279 289 405f10-405f16 274->289 275->289 281 405e07-405e09 276->281 282 405e0a-405e0c 276->282 277->254 278->277 279->269 285 405df1-405df5 279->285 281->282 287 405e45-405e48 282->287 288 405e0e-405e29 call 405be9 282->288 285->276 290 405e58-405e5b 287->290 291 405e4a-405e56 GetSystemDirectoryA 287->291 297 405e2e-405e31 288->297 289->277 293 405f18 289->293 295 405ec5-405ec7 290->295 296 405e5d-405e6b GetWindowsDirectoryA 290->296 294 405ec9-405ecc 291->294 298 405edf-405ee5 call 405f6d 293->298 294->298 302 405ece-405ed2 294->302 295->294 300 405e6d-405e77 295->300 296->295 301 405e37-405e40 call 405d24 297->301 297->302 298->277 304 405e91-405ea7 SHGetSpecialFolderLocation 300->304 305 405e79-405e7c 300->305 301->294 302->298 307 405ed4-405eda lstrcatA 302->307 309 405ec2 304->309 310 405ea9-405ec0 SHGetPathFromIDListA CoTaskMemFree 304->310 305->304 308 405e7e-405e8f 305->308 307->298 308->294 308->304 309->295 310->294 310->309
                      APIs
                      • GetVersion.KERNEL32(?,00429020,00000000,00405025,00429020,00000000), ref: 00405DD5
                      • GetSystemDirectoryA.KERNEL32(exec,00000400), ref: 00405E50
                      • GetWindowsDirectoryA.KERNEL32(exec,00000400), ref: 00405E63
                      • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405E9F
                      • SHGetPathFromIDListA.SHELL32(00000000,exec), ref: 00405EAD
                      • CoTaskMemFree.OLE32(00000000), ref: 00405EB8
                      • lstrcatA.KERNEL32(exec,\Microsoft\Internet Explorer\Quick Launch), ref: 00405EDA
                      • lstrlenA.KERNEL32(exec,?,00429020,00000000,00405025,00429020,00000000), ref: 00405F2C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                      • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$exec$bc
                      • API String ID: 900638850-2874174515
                      • Opcode ID: 86737b39358a432263cf8977817b35e319820b2f28da26da476bc541465db4cf
                      • Instruction ID: 5b67a260774464a266975031e8de687f4ce8cb03edeffd76283fc6e3bf20d41c
                      • Opcode Fuzzy Hash: 86737b39358a432263cf8977817b35e319820b2f28da26da476bc541465db4cf
                      • Instruction Fuzzy Hash: A7613671A00A06ABDB219F25DC887BF3B64EB15705F10813BE941B62D1D33C9A42DF9E
                      Function 004055C2 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159filestringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 313 4055c2-4055e8 call 405880 316 405601-405608 313->316 317 4055ea-4055fc DeleteFileA 313->317 319 40560a-40560c 316->319 320 40561b-40562b call 405d02 316->320 318 40578b-40578f 317->318 322 405612-405615 319->322 323 405739-40573e 319->323 326 40563a-40563b call 4057d9 320->326 327 40562d-405638 lstrcatA 320->327 322->320 322->323 323->318 325 405740-405743 323->325 328 405745-40574b 325->328 329 40574d-405755 call 406006 325->329 330 405640-405643 326->330 327->330 328->318 329->318 336 405757-40576b call 405792 call 40557a 329->336 333 405645-40564c 330->333 334 40564e-405654 lstrcatA 330->334 333->334 337 405659-405677 lstrlenA FindFirstFileA 333->337 334->337 351 405783-405786 call 404fed 336->351 352 40576d-405770 336->352 339 40567d-405694 call 4057bd 337->339 340 40572f-405733 337->340 347 405696-40569a 339->347 348 40569f-4056a2 339->348 340->323 342 405735 340->342 342->323 347->348 353 40569c 347->353 349 4056a4-4056a9 348->349 350 4056b5-4056c3 call 405d02 348->350 354 4056ab-4056ad 349->354 355 40570e-405720 FindNextFileA 349->355 363 4056c5-4056cd 350->363 364 4056da-4056e5 call 40557a 350->364 351->318 352->328 357 405772-405781 call 404fed call 405bb6 352->357 353->348 354->350 359 4056af-4056b3 354->359 355->339 361 405726-405729 FindClose 355->361 357->318 359->350 359->355 361->340 363->355 366 4056cf-4056d8 call 4055c2 363->366 373 405706-405709 call 404fed 364->373 374 4056e7-4056ea 364->374 366->355 373->355 376 4056ec-4056fc call 404fed call 405bb6 374->376 377 4056fe-405704 374->377 376->355 377->355
                      APIs
                      • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 004055EB
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\*.*,?,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405633
                      • lstrcatA.KERNEL32(?,00409014,?,C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\*.*,?,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405654
                      • lstrlenA.KERNEL32(?,?,00409014,?,C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\*.*,?,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 0040565A
                      • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\*.*,?,?,?,00409014,?,C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\*.*,?,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 0040566B
                      • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405718
                      • FindClose.KERNEL32(00000000), ref: 00405729
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                      • String ID: "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\*.*$\*.*
                      • API String ID: 2035342205-2048324448
                      • Opcode ID: 6372f417494c38bf664bbfadf19853dd0ffb4c10625cb1f5eec778bab78212c9
                      • Instruction ID: 4fd760efccc51f8b2262951870d6f99465e6e317a30743bc9cc3d7de00265efa
                      • Opcode Fuzzy Hash: 6372f417494c38bf664bbfadf19853dd0ffb4c10625cb1f5eec778bab78212c9
                      • Instruction Fuzzy Hash: 3151C030904904EADB21AA628C85FBF7BB8DF42718F14443BF855721D1D73C8982EE6E
                      Function 00406006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 591 406006-40601a FindFirstFileA 592 406027 591->592 593 40601c-406025 FindClose 591->593 594 406029-40602a 592->594 593->594
                      APIs
                      • FindFirstFileA.KERNELBASE(?,0042B090,C:\,004058C3,C:\,C:\,00000000,C:\,C:\,?,?,756F2EE0,004055E2,?,C:\Users\user\AppData\Local\Temp\,756F2EE0), ref: 00406011
                      • FindClose.KERNELBASE(00000000), ref: 0040601D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID: C:\
                      • API String ID: 2295610775-3404278061
                      • Opcode ID: 39b40f49af5ebc512e67e1554d08d8a2e309b254ed45ec28913962e36f8c6feb
                      • Instruction ID: b96e8f86fd60adf8bc7900e188e54b1a1c20844179a8ff035978b64800b7754d
                      • Opcode Fuzzy Hash: 39b40f49af5ebc512e67e1554d08d8a2e309b254ed45ec28913962e36f8c6feb
                      • Instruction Fuzzy Hash: 77D012719491205BC31197387C0C85B7E58DF09331B118A33F56AF12E4D7349C7286ED
                      Function 0040602D Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(?,?,?,00403280,00000008), ref: 0040603F
                      • LoadLibraryA.KERNELBASE(?,?,?,00403280,00000008), ref: 0040604A
                      • GetProcAddress.KERNEL32(00000000,?), ref: 0040605B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: AddressHandleLibraryLoadModuleProc
                      • String ID:
                      • API String ID: 310444273-0
                      • Opcode ID: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
                      • Instruction ID: 3642e1e05e09fe416da51aa2f4e40435557c29abfb7dd0d1ec60ed088049c68e
                      • Opcode Fuzzy Hash: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
                      • Instruction Fuzzy Hash: D0E0CD3290411167D710AB749D44D7773ACAFC5750305483DF505F2150D734AC51E7A9
                      Function 0040378B Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 111 40378b-4037a3 call 40602d 114 4037a5-4037b5 call 405c60 111->114 115 4037b7-4037e8 call 405be9 111->115 124 40380b-403834 call 403a50 call 405880 114->124 120 403800-403806 lstrcatA 115->120 121 4037ea-4037fb call 405be9 115->121 120->124 121->120 129 40383a-40383f 124->129 130 4038bb-4038c3 call 405880 124->130 129->130 132 403841-403859 call 405be9 129->132 136 4038d1-4038f6 LoadImageA 130->136 137 4038c5-4038cc call 405d24 130->137 135 40385e-403865 132->135 135->130 138 403867-403869 135->138 140 403977-40397f call 40140b 136->140 141 4038f8-403928 RegisterClassA 136->141 137->136 142 40387a-403886 lstrlenA 138->142 143 40386b-403878 call 4057bd 138->143 154 403981-403984 140->154 155 403989-403994 call 403a50 140->155 144 403a46 141->144 145 40392e-403972 SystemParametersInfoA CreateWindowExA 141->145 149 403888-403896 lstrcmpiA 142->149 150 4038ae-4038b6 call 405792 call 405d02 142->150 143->142 147 403a48-403a4f 144->147 145->140 149->150 153 403898-4038a2 GetFileAttributesA 149->153 150->130 157 4038a4-4038a6 153->157 158 4038a8-4038a9 call 4057d9 153->158 154->147 164 40399a-4039b7 ShowWindow LoadLibraryA 155->164 165 403a1d-403a25 call 4050bf 155->165 157->150 157->158 158->150 167 4039c0-4039d2 GetClassInfoA 164->167 168 4039b9-4039be LoadLibraryA 164->168 173 403a27-403a2d 165->173 174 403a3f-403a41 call 40140b 165->174 169 4039d4-4039e4 GetClassInfoA RegisterClassA 167->169 170 4039ea-403a1b DialogBoxParamA call 40140b call 4036db 167->170 168->167 169->170 170->147 173->154 176 403a33-403a3a call 40140b 173->176 174->144 176->154
                      APIs
                        • Part of subcall function 0040602D: GetModuleHandleA.KERNEL32(?,?,?,00403280,00000008), ref: 0040603F
                        • Part of subcall function 0040602D: LoadLibraryA.KERNELBASE(?,?,?,00403280,00000008), ref: 0040604A
                        • Part of subcall function 0040602D: GetProcAddress.KERNEL32(00000000,?), ref: 0040605B
                      • lstrcatA.KERNEL32(1033,00429840,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429840,00000000,00000006,C:\Users\user\AppData\Local\Temp\,756F3410,"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe",00000000), ref: 00403806
                      • lstrlenA.KERNEL32(exec,?,?,?,exec,00000000,C:\Program Files (x86)\Common Files\System,1033,00429840,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429840,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 0040387B
                      • lstrcmpiA.KERNEL32(?,.exe), ref: 0040388E
                      • GetFileAttributesA.KERNEL32(exec), ref: 00403899
                      • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\Common Files\System), ref: 004038E2
                        • Part of subcall function 00405C60: wsprintfA.USER32 ref: 00405C6D
                      • RegisterClassA.USER32(0042DB60), ref: 0040391F
                      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403937
                      • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040396C
                      • ShowWindow.USER32(00000005,00000000), ref: 004039A2
                      • LoadLibraryA.KERNEL32(RichEd20), ref: 004039B3
                      • LoadLibraryA.KERNEL32(RichEd32), ref: 004039BE
                      • GetClassInfoA.USER32(00000000,RichEdit20A,0042DB60), ref: 004039CE
                      • GetClassInfoA.USER32(00000000,RichEdit,0042DB60), ref: 004039DB
                      • RegisterClassA.USER32(0042DB60), ref: 004039E4
                      • DialogBoxParamA.USER32(?,00000000,00403B1D,00000000), ref: 00403A03
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                      • String ID: "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\Common Files\System$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$exec
                      • API String ID: 914957316-3951190402
                      • Opcode ID: cd1a1d328446e14f4d78bb9612b7c64bcbb3220609ad6d174608b3cc43577e44
                      • Instruction ID: eab6c8e0457bfe94922927a783ec3a7f0177555211069ab2f65310f05ada8af1
                      • Opcode Fuzzy Hash: cd1a1d328446e14f4d78bb9612b7c64bcbb3220609ad6d174608b3cc43577e44
                      • Instruction Fuzzy Hash: EA61C671A44200BEE720BB629C85F273EACEB44749F54457FF940B22E1C77DAD028A6D
                      Function 00402C7B Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 209memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 182 402c7b-402cc9 GetTickCount GetModuleFileNameA call 405993 185 402cd5-402d03 call 405d02 call 4057d9 call 405d02 GetFileSize 182->185 186 402ccb-402cd0 182->186 194 402df3-402e01 call 402bdc 185->194 195 402d09-402d20 185->195 187 402f3c-402f40 186->187 201 402ef6-402efb 194->201 202 402e07-402e0a 194->202 197 402d22 195->197 198 402d24-402d31 call 4031da 195->198 197->198 204 402eb2-402eba call 402bdc 198->204 205 402d37-402d3d 198->205 201->187 206 402e36-402ea6 GlobalAlloc call 4059c2 CreateFileA 202->206 207 402e0c-402e24 call 4031f0 call 4031da 202->207 204->201 208 402dbd-402dc1 205->208 209 402d3f-402d57 call 40594e 205->209 222 402ea8-402ead 206->222 223 402ebc-402eec call 4031f0 call 402f43 206->223 207->201 234 402e2a-402e30 207->234 217 402dc3-402dc9 call 402bdc 208->217 218 402dca-402dd0 208->218 209->218 228 402d59-402d60 209->228 217->218 219 402dd2-402de0 call 40609f 218->219 220 402de3-402ded 218->220 219->220 220->194 220->195 222->187 238 402ef1-402ef4 223->238 228->218 232 402d62-402d69 228->232 232->218 235 402d6b-402d72 232->235 234->201 234->206 235->218 237 402d74-402d7b 235->237 237->218 239 402d7d-402d9d 237->239 238->201 240 402efd-402f0e 238->240 239->201 241 402da3-402da7 239->241 242 402f10 240->242 243 402f16-402f19 240->243 245 402da9-402dad 241->245 246 402daf-402db7 241->246 242->243 244 402f1b-402f20 243->244 244->244 247 402f22-402f3a call 40594e 244->247 245->194 245->246 246->218 248 402db9-402dbb 246->248 247->187 248->218
                      APIs
                      • GetTickCount.KERNEL32 ref: 00402C8F
                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe,00000400), ref: 00402CAB
                        • Part of subcall function 00405993: GetFileAttributesA.KERNELBASE(00000003,00402CBE,C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe,80000000,00000003), ref: 00405997
                        • Part of subcall function 00405993: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059B9
                      • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe,C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe,80000000,00000003), ref: 00402CF4
                      • GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E3B
                      Strings
                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EF6
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C88, 00402E5B
                      • Null, xrefs: 00402D74
                      • C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe, xrefs: 00402C95, 00402CA4, 00402CB8, 00402CD5
                      • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402EA8
                      • Error launching installer, xrefs: 00402CCB
                      • soft, xrefs: 00402D6B
                      • Inst, xrefs: 00402D62
                      • "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe", xrefs: 00402C7B
                      • C:\Users\user\Desktop, xrefs: 00402CD6, 00402CDB, 00402CE1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                      • String ID: "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                      • API String ID: 2803837635-3735410704
                      • Opcode ID: de3bfadf5dd72ec28905c503ac03002633993a0cc294d8ed64054f07ba3d5b9d
                      • Instruction ID: c1ff5e3711c1197911a082a9c9dcd196acec121115b493865d4f60a77de088eb
                      • Opcode Fuzzy Hash: de3bfadf5dd72ec28905c503ac03002633993a0cc294d8ed64054f07ba3d5b9d
                      • Instruction Fuzzy Hash: 1E71EF71A40205ABCB20DF65DE89B9A7AB8FF04354F60413BE910F72D2D7B89D418B9D
                      Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 382 40173f-401762 call 4029ff call 4057ff 387 401764-40176a call 405d02 382->387 388 40176c-40177e call 405d02 call 405792 lstrcatA 382->388 393 401783-401789 call 405f6d 387->393 388->393 398 40178e-401792 393->398 399 401794-40179e call 406006 398->399 400 4017c5-4017c8 398->400 408 4017b0-4017c2 399->408 409 4017a0-4017ae CompareFileTime 399->409 402 4017d0-4017ec call 405993 400->402 403 4017ca-4017cb call 40596e 400->403 410 401864-40188d call 404fed call 402f43 402->410 411 4017ee-4017f1 402->411 403->402 408->400 409->408 425 401895-4018a1 SetFileTime 410->425 426 40188f-401893 410->426 412 4017f3-401835 call 405d02 * 2 call 405d24 call 405d02 call 405516 411->412 413 401846-401850 call 404fed 411->413 412->398 445 40183b-40183c 412->445 423 401859-40185f 413->423 427 40289d 423->427 429 4018a7-4018b2 FindCloseChangeNotification 425->429 426->425 426->429 432 40289f-4028a3 427->432 430 402894-402897 429->430 431 4018b8-4018bb 429->431 430->427 434 4018d0-4018d3 call 405d24 431->434 435 4018bd-4018ce call 405d24 lstrcatA 431->435 441 4018d8-40222d call 405516 434->441 435->441 441->430 441->432 445->423 447 40183e-40183f 445->447 447->413
                      APIs
                      • lstrcatA.KERNEL32(00000000,00000000,exec,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040177E
                      • CompareFileTime.KERNEL32(-00000014,?,exec,exec,00000000,00000000,exec,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017A8
                        • Part of subcall function 00405D02: lstrcpynA.KERNEL32(?,?,00000400,004032AB,rexzxxkPJ 1.0.1 Setup,NSIS Error), ref: 00405D0F
                        • Part of subcall function 00404FED: lstrlenA.KERNEL32(00429020,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405026
                        • Part of subcall function 00404FED: lstrlenA.KERNEL32(00402C53,00429020,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405036
                        • Part of subcall function 00404FED: lstrcatA.KERNEL32(00429020,00402C53,00402C53,00429020,00000000,00000000,00000000), ref: 00405049
                        • Part of subcall function 00404FED: SetWindowTextA.USER32(00429020,00429020), ref: 0040505B
                        • Part of subcall function 00404FED: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405081
                        • Part of subcall function 00404FED: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040509B
                        • Part of subcall function 00404FED: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050A9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                      • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsr5B39.tmp$C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dll$exec
                      • API String ID: 1941528284-4156149492
                      • Opcode ID: 7ef673116ba992940f90d16ae2e68c4aba0bc3e885259ee53f1d2f9c3668c510
                      • Instruction ID: 513d6a2ee1f2e57269983953956d9d646ee050a99320174bfeef3c968ef851ad
                      • Opcode Fuzzy Hash: 7ef673116ba992940f90d16ae2e68c4aba0bc3e885259ee53f1d2f9c3668c510
                      • Instruction Fuzzy Hash: 1741B771900515BACB107B65DC4AEAF3679DF0532CF20823BF421F21E2DA3C4A419A6D
                      Function 0040305E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 449 40305e-403087 GetTickCount 450 4031c8-4031d0 call 402bdc 449->450 451 40308d-4030b8 call 4031f0 SetFilePointer 449->451 456 4031d2-4031d7 450->456 457 4030bd-4030cf 451->457 458 4030d1 457->458 459 4030d3-4030e1 call 4031da 457->459 458->459 462 4030e7-4030f3 459->462 463 4031ba-4031bd 459->463 464 4030f9-4030ff 462->464 463->456 465 403101-403107 464->465 466 40312a-403146 call 40610d 464->466 465->466 468 403109-403129 call 402bdc 465->468 472 4031c3 466->472 473 403148-403150 466->473 468->466 474 4031c5-4031c6 472->474 475 403152-403168 WriteFile 473->475 476 403184-40318a 473->476 474->456 477 40316a-40316e 475->477 478 4031bf-4031c1 475->478 476->472 479 40318c-40318e 476->479 477->478 480 403170-40317c 477->480 478->474 479->472 481 403190-4031a3 479->481 480->464 482 403182 480->482 481->457 483 4031a9-4031b8 SetFilePointer 481->483 482->481 483->450
                      APIs
                      • GetTickCount.KERNEL32 ref: 00403073
                        • Part of subcall function 004031F0: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402ECA,?), ref: 004031FE
                      • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F76,00000004,00000008,00000000,?,?,?,00402EF1,000000FF,00000000,00000000), ref: 004030A6
                      • WriteFile.KERNELBASE(004143E8,00418EFA,00000000,00000000,0040A828,0041C3E8,00004000,?,00000000,?,00402F76,00000004,00000008,00000000,?,?), ref: 00403160
                      • SetFilePointer.KERNELBASE(015B0CD5,00000000,00000000,0040A828,0041C3E8,00004000,?,00000000,?,00402F76,00000004,00000008,00000000,?,?), ref: 004031B2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: File$Pointer$CountTickWrite
                      • String ID: CA
                      • API String ID: 2146148272-1052703068
                      • Opcode ID: d56b8f20e0d70ed42b9d1004dd47c48d44626af71e94203716d3b228a54e5f6c
                      • Instruction ID: db21fa92fbf5d6ee627aae5fea5abc0f8783032ec9f3bb3fe1fdd731441dc78b
                      • Opcode Fuzzy Hash: d56b8f20e0d70ed42b9d1004dd47c48d44626af71e94203716d3b228a54e5f6c
                      • Instruction Fuzzy Hash: ED419372A103019FD720EF25ED8492A3BECFB0875A714853BE810B62E1D7756D52CB9E
                      Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 484 401f68-401f74 485 401f7a-401f90 call 4029ff * 2 484->485 486 40202f-402031 484->486 497 401f92-401f9d GetModuleHandleA 485->497 498 401f9f-401fad LoadLibraryExA 485->498 487 40217e-402183 call 401423 486->487 493 402894-4028a3 487->493 494 402665-40266c 487->494 494->493 497->498 500 401faf-401fbc GetProcAddress 497->500 499 402028-40202a 498->499 498->500 499->487 502 401ffb-402000 call 404fed 500->502 503 401fbe-401fc4 500->503 508 402005-402008 502->508 504 401fc6-401fd2 call 401423 503->504 505 401fdd-401ff1 503->505 504->508 516 401fd4-401fdb 504->516 510 401ff6-401ff9 505->510 508->493 511 40200e-402016 call 40372b 508->511 510->508 511->493 515 40201c-402023 FreeLibrary 511->515 515->493 516->508
                      APIs
                      • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F93
                        • Part of subcall function 00404FED: lstrlenA.KERNEL32(00429020,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405026
                        • Part of subcall function 00404FED: lstrlenA.KERNEL32(00402C53,00429020,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405036
                        • Part of subcall function 00404FED: lstrcatA.KERNEL32(00429020,00402C53,00402C53,00429020,00000000,00000000,00000000), ref: 00405049
                        • Part of subcall function 00404FED: SetWindowTextA.USER32(00429020,00429020), ref: 0040505B
                        • Part of subcall function 00404FED: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405081
                        • Part of subcall function 00404FED: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040509B
                        • Part of subcall function 00404FED: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050A9
                      • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
                      • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                      • String ID: @B
                      • API String ID: 2987980305-393656158
                      • Opcode ID: c815caac4aa77305f45455a9f00003932eeacfc152f75effc3c18aec502ad80d
                      • Instruction ID: 5a70b7e9ed5c66569718cb47657e97c2e71daff34dbc0428188c0ac1aff3873a
                      • Opcode Fuzzy Hash: c815caac4aa77305f45455a9f00003932eeacfc152f75effc3c18aec502ad80d
                      • Instruction Fuzzy Hash: FD213D72904211EBCF20BFB58E4DA6E39B06B4435CF24423BF601B62D0D7BC4942DA5E
                      Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 517 4015b3-4015c6 call 4029ff call 40582b 522 4015c8-4015e3 call 4057bd CreateDirectoryA 517->522 523 40160a-40160d 517->523 530 401600-401608 522->530 531 4015e5-4015f0 GetLastError 522->531 525 401638-402183 call 401423 523->525 526 40160f-40162a call 401423 call 405d02 SetCurrentDirectoryA 523->526 539 402894-4028a3 525->539 540 402665-40266c 525->540 526->539 541 401630-401633 526->541 530->522 530->523 534 4015f2-4015fb GetFileAttributesA 531->534 535 4015fd 531->535 534->530 534->535 535->530 540->539 541->539
                      APIs
                        • Part of subcall function 0040582B: CharNextA.USER32(?,?,C:\,?,00405897,C:\,C:\,?,?,756F2EE0,004055E2,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405839
                        • Part of subcall function 0040582B: CharNextA.USER32(00000000), ref: 0040583E
                        • Part of subcall function 0040582B: CharNextA.USER32(00000000), ref: 00405852
                      • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                      • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                      • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622
                      Strings
                      • C:\Users\user\AppData\Local\Temp, xrefs: 00401617
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                      • String ID: C:\Users\user\AppData\Local\Temp
                      • API String ID: 3751793516-1116454783
                      • Opcode ID: 4acf4448e4fe86c4dd1c0c4deb556b5104350f4edfc5772462215aba8e9cee7b
                      • Instruction ID: cb8ff8e60eba8888ba5c4fa3660009e8cf72d251987852953c62b12229910ec5
                      • Opcode Fuzzy Hash: 4acf4448e4fe86c4dd1c0c4deb556b5104350f4edfc5772462215aba8e9cee7b
                      • Instruction Fuzzy Hash: E8114C31908150ABDB217F755D44A7F37B0EE51365728473FF491B22D1D23C0D42962E
                      Function 004059C2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 544 4059c2-4059cc 545 4059cd-4059f8 GetTickCount GetTempFileNameA 544->545 546 405a07-405a09 545->546 547 4059fa-4059fc 545->547 549 405a01-405a04 546->549 547->545 548 4059fe 547->548 548->549
                      APIs
                      • GetTickCount.KERNEL32 ref: 004059D6
                      • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059F0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CountFileNameTempTick
                      • String ID: "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                      • API String ID: 1716503409-3449021037
                      • Opcode ID: be632fe28ab69ff4c12b507213d52797c66cf3140a4a4b63bf78ed2c6fdf214e
                      • Instruction ID: e88dcfe2ffd9ff8202980f15a451018ea4578ff9787a32f2987c264086a3fc6d
                      • Opcode Fuzzy Hash: be632fe28ab69ff4c12b507213d52797c66cf3140a4a4b63bf78ed2c6fdf214e
                      • Instruction Fuzzy Hash: 65F082367483486BDB108F56DC44BDB7B98EF91750F10803BF904AA280D6B1A954CB59
                      Function 00405880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 550 405880-40589b call 405d02 call 40582b 555 4058a1-4058ae call 405f6d 550->555 556 40589d-40589f 550->556 560 4058b0-4058b4 555->560 561 4058ba-4058bc 555->561 558 4058f3-4058f5 556->558 560->556 562 4058b6-4058b8 560->562 563 4058d2-4058db lstrlenA 561->563 562->556 562->561 564 4058dd-4058f1 call 405792 GetFileAttributesA 563->564 565 4058be-4058c5 call 406006 563->565 564->558 570 4058c7-4058ca 565->570 571 4058cc-4058cd call 4057d9 565->571 570->556 570->571 571->563
                      APIs
                        • Part of subcall function 00405D02: lstrcpynA.KERNEL32(?,?,00000400,004032AB,rexzxxkPJ 1.0.1 Setup,NSIS Error), ref: 00405D0F
                        • Part of subcall function 0040582B: CharNextA.USER32(?,?,C:\,?,00405897,C:\,C:\,?,?,756F2EE0,004055E2,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405839
                        • Part of subcall function 0040582B: CharNextA.USER32(00000000), ref: 0040583E
                        • Part of subcall function 0040582B: CharNextA.USER32(00000000), ref: 00405852
                      • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,756F2EE0,004055E2,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 004058D3
                      • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,756F2EE0,004055E2,?,C:\Users\user\AppData\Local\Temp\,756F2EE0), ref: 004058E3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                      • String ID: C:\
                      • API String ID: 3248276644-3404278061
                      • Opcode ID: 9b851943ec16d9673c65665a2613785b91b0dafa5de18e0b66232fb399bec77c
                      • Instruction ID: 4a31d1992119ab435eca7fde6f57ef2f833f05e668f8c9faa2e68a7e2d379729
                      • Opcode Fuzzy Hash: 9b851943ec16d9673c65665a2613785b91b0dafa5de18e0b66232fb399bec77c
                      • Instruction Fuzzy Hash: BFF0CD17106E5126D22632361C09A9F1A55CD86714718C53BFC51B12D1DB3C8863DDBE
                      Function 00403207 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00405F6D: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403213,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 00405FC5
                        • Part of subcall function 00405F6D: CharNextA.USER32(?,?,?,00000000), ref: 00405FD2
                        • Part of subcall function 00405F6D: CharNextA.USER32(?,"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403213,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 00405FD7
                        • Part of subcall function 00405F6D: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403213,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 00405FE7
                      • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 00403228
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Char$Next$CreateDirectoryPrev
                      • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                      • API String ID: 4115351271-3645488871
                      • Opcode ID: e2f436c2c85055cb36e73c0dc8b964f63f0f90a068d46186aca38fb001de8a63
                      • Instruction ID: 056f46163a04eb1ed77e4ab2097a20d8e9eab7b45e6945eecad59ccfb9bbbcf5
                      • Opcode Fuzzy Hash: e2f436c2c85055cb36e73c0dc8b964f63f0f90a068d46186aca38fb001de8a63
                      • Instruction Fuzzy Hash: 1CD0C71154AD3071D55137763D06FCF151C8F5A719F519077F508760C25B6C198355FE
                      Function 004036F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 584 4036f6-403706 call 4036db 587 403722-40372a 584->587 588 403708 584->588 589 403709-40371f FreeLibrary GlobalFree 588->589 589->589 590 403721 589->590 590->587
                      APIs
                      • FreeLibrary.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\,00000000,756F2EE0,004036CD,756F3410,004034FA,?), ref: 00403710
                      • GlobalFree.KERNEL32(00000000), ref: 00403717
                      Strings
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00403708
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Free$GlobalLibrary
                      • String ID: C:\Users\user\AppData\Local\Temp\
                      • API String ID: 1100898210-1881609536
                      • Opcode ID: 9a52265bacc1e02de786b97a87fb577da1f11b6697abf4e8bd377110e1cd6801
                      • Instruction ID: 7dbf0ca92301b09730d34d81bb9ceea32934e6ac70adf41bc2970f740e2c7027
                      • Opcode Fuzzy Hash: 9a52265bacc1e02de786b97a87fb577da1f11b6697abf4e8bd377110e1cd6801
                      • Instruction Fuzzy Hash: 64E08C329020209BC6616F94A90471A7BA8AB48B22F4A842AE8007B3A187746C428A98
                      Function 00402F43 Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 595 402f43-402f51 596 402f53-402f69 SetFilePointer 595->596 597 402f6f-402f78 call 40305e 595->597 596->597 600 403058-40305b 597->600 601 402f7e-402f91 call 405a0b 597->601 604 403044 601->604 605 402f97-402fab call 40305e 601->605 607 403046-403047 604->607 605->600 609 402fb1-402fb4 605->609 607->600 610 403020-403026 609->610 611 402fb6-402fb9 609->611 612 403028 610->612 613 40302b-403042 ReadFile 610->613 614 403055 611->614 615 402fbf 611->615 612->613 613->604 616 403049-403052 613->616 614->600 617 402fc4-402fce 615->617 616->614 618 402fd0 617->618 619 402fd5-402fe7 call 405a0b 617->619 618->619 619->604 622 402fe9-402ffe WriteFile 619->622 623 403000-403003 622->623 624 40301c-40301e 622->624 623->624 625 403005-403018 623->625 624->607 625->617 626 40301a 625->626 626->614
                      APIs
                      • SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000008,00000000,?,?,?,00402EF1,000000FF,00000000,00000000,00409130,?), ref: 00402F69
                      • WriteFile.KERNELBASE(00000000,0041C3E8,?,000000FF,00000000,0041C3E8,00004000,00409130,00409130,00000004,00000004,00000008,00000000,?,?), ref: 00402FF6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: File$PointerWrite
                      • String ID:
                      • API String ID: 539440098-0
                      • Opcode ID: e8a7483187b5b5937663e6b057a5a0a779d5a1b3c243f8a48fd651df8b6e6708
                      • Instruction ID: 1cbdde04fc9c4562a279fe4741d5c1646948c1bd1802bac1b78b05403530cfac
                      • Opcode Fuzzy Hash: e8a7483187b5b5937663e6b057a5a0a779d5a1b3c243f8a48fd651df8b6e6708
                      • Instruction Fuzzy Hash: ED316730601219EBDF21DF56ED84A9F3FA8EB01765F20813AF904E61D1D338DA41DBA9
                      Function 0040218C Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00406006: FindFirstFileA.KERNELBASE(?,0042B090,C:\,004058C3,C:\,C:\,00000000,C:\,C:\,?,?,756F2EE0,004055E2,?,C:\Users\user\AppData\Local\Temp\,756F2EE0), ref: 00406011
                        • Part of subcall function 00406006: FindClose.KERNELBASE(00000000), ref: 0040601D
                      • lstrlenA.KERNEL32 ref: 004021CC
                      • lstrlenA.KERNEL32(00000000), ref: 004021D6
                      • SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004021FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: FileFindlstrlen$CloseFirstOperation
                      • String ID:
                      • API String ID: 1486964399-0
                      • Opcode ID: a3618a538d84d146095805e54ea6110d6bc1ae2d612c99ba02184ef64b6ed156
                      • Instruction ID: db547469b721ea523230c45db9663159b48a77921d64fccf4615ca35bc03184a
                      • Opcode Fuzzy Hash: a3618a538d84d146095805e54ea6110d6bc1ae2d612c99ba02184ef64b6ed156
                      • Instruction Fuzzy Hash: 6411C871E04305AADB10EFF68A4999EB7F8AF04308F14813BB501FB2C5D6BCC5019759
                      Function 00405BE9 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNELBASE(80000002,00405E2E,00000000,00000002,?,00000002,?,?,00405E2E,80000002,Software\Microsoft\Windows\CurrentVersion,?,exec,?), ref: 00405C12
                      • RegQueryValueExA.KERNELBASE(?,?,00000000,00405E2E,?,00405E2E), ref: 00405C33
                      • RegCloseKey.KERNELBASE(?), ref: 00405C54
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
                      • Instruction ID: 8d57f4d3710c17138d7ccd854d5ba7783d150690c5156c39201fda8b422389fc
                      • Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
                      • Instruction Fuzzy Hash: D901487114420AEFEF228F65EC44EEB3FACEF15358F004026F905A6220D235D964CBA9
                      Function 0040557A Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040596E: GetFileAttributesA.KERNELBASE(?,?,00405586,?,?,00000000,00405769,?,?,?,?), ref: 00405973
                        • Part of subcall function 0040596E: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405987
                      • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405769), ref: 00405595
                      • DeleteFileA.KERNELBASE(?,?,?,00000000,00405769), ref: 0040559D
                      • SetFileAttributesA.KERNEL32(?,00000000), ref: 004055B5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: File$Attributes$DeleteDirectoryRemove
                      • String ID:
                      • API String ID: 1655745494-0
                      • Opcode ID: abd038863be241f110d95ccd9fde628896f101e4ff1c11c0b7d20b5ecf2a2518
                      • Instruction ID: a0d73d70821ae7ca3d5b358ecb031579c4af9a2d7e6351f5fcd2caccc7128bed
                      • Opcode Fuzzy Hash: abd038863be241f110d95ccd9fde628896f101e4ff1c11c0b7d20b5ecf2a2518
                      • Instruction Fuzzy Hash: E8E0E53150AA50A7D22057309D0CA5F2ADADF86334F044936F851F21D4D37C48068A7B
                      Function 00403699 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNEL32(FFFFFFFF,756F3410,004034FA,?), ref: 004036AB
                      • CloseHandle.KERNEL32(FFFFFFFF,756F3410,004034FA,?), ref: 004036BF
                      Strings
                      • C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\, xrefs: 004036CF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\
                      • API String ID: 2962429428-3213569912
                      • Opcode ID: 2cf766bc1ead8734368cdac89160a9997a93e06731389023ab11f612f9277dd8
                      • Instruction ID: 813b1be2cc890223d4567baadfa3295a404473177cda9c6a36741bba1ca48160
                      • Opcode Fuzzy Hash: 2cf766bc1ead8734368cdac89160a9997a93e06731389023ab11f612f9277dd8
                      • Instruction Fuzzy Hash: 3FE08630944610BAC5346F7CAD454463A585B41335B208722F174F31F2C7389E865EAC
                      Function 00401DD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E1E
                      Strings
                      • C:\Users\user\AppData\Local\Temp, xrefs: 00401E09
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: ExecuteShell
                      • String ID: C:\Users\user\AppData\Local\Temp
                      • API String ID: 587946157-1116454783
                      • Opcode ID: e6f835576396817d60aaf3fa8ff7645a9cabdea799369bf1c9e3e5ac08245f56
                      • Instruction ID: 858220e6703ce244243a4ee8d986bf6c6bbe74788c562b7024ffa6ed7740084e
                      • Opcode Fuzzy Hash: e6f835576396817d60aaf3fa8ff7645a9cabdea799369bf1c9e3e5ac08245f56
                      • Instruction Fuzzy Hash: 79F0F673B041006ADB51ABB59D4AE9D3BA4EB45318F240A3BF000F71C2D9FD8842B718
                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                      Download Yara Rule
                      APIs
                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                      • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID:
                      • API String ID: 3850602802-0
                      • Opcode ID: 1bec4fdb5d6a54a8f46fd3e19223faa0af84c99b5d1769feff99b61fe523c1c1
                      • Instruction ID: 9c0c3cd7e8c61537aded99adfcb6fe45b1dec10c4714f43f433732d63cdb7bf4
                      • Opcode Fuzzy Hash: 1bec4fdb5d6a54a8f46fd3e19223faa0af84c99b5d1769feff99b61fe523c1c1
                      • Instruction Fuzzy Hash: AD012831B242209FE7295B389C04B6B3698E710315F11853BF815F72F1D678DC028B4D
                      Function 00405993 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesA.KERNELBASE(00000003,00402CBE,C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe,80000000,00000003), ref: 00405997
                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059B9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: File$AttributesCreate
                      • String ID:
                      • API String ID: 415043291-0
                      • Opcode ID: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
                      • Instruction ID: 21e5f81f3e52fa2c8f9e5bc24a994218dd140026ef3a1e453d479de883aad6ce
                      • Opcode Fuzzy Hash: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
                      • Instruction Fuzzy Hash: 94D09E31668301AFEF098F20DD16F2E7BA2EB84B00F10562CB682D40E0D6755815DB16
                      Function 0040596E Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesA.KERNELBASE(?,?,00405586,?,?,00000000,00405769,?,?,?,?), ref: 00405973
                      • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405987
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
                      • Instruction ID: 77f6410f58a6e364ecb7fc8fc235f0eae61478651125bcae491b8fa4b362d630
                      • Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
                      • Instruction Fuzzy Hash: CFD0C972908120EFC2102B28AD0889BBB55EB542B17018B31FC65A22F0D7304C52CAA5
                      Function 00405A0B Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,0041C3E8,004143E8,004031ED,00409130,00409130,004030DF,0041C3E8,00004000,?,00000000,?), ref: 00405A1F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
                      • Instruction ID: 4589ba8c394958a0e5e87d53e3e41ac9b1cbed3168af2c04c0574dfda8aed1f0
                      • Opcode Fuzzy Hash: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
                      • Instruction Fuzzy Hash: 2EE0EC3275825ABBDF109E659C40AEB7B6CEB053A4F004933FA15E2150D271E821DFE5
                      Function 004031F0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402ECA,?), ref: 004031FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                      • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                      • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                      • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                      Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(00000000), ref: 004014E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: ba50a20e4871461948284efa02c7824e711fb9e7f05cedd134841fd44cd71951
                      • Instruction ID: 91bcea9ad69747bdf0dbe3589f52315978bd47c5871b6dfe7c979b5de713b2a2
                      • Opcode Fuzzy Hash: ba50a20e4871461948284efa02c7824e711fb9e7f05cedd134841fd44cd71951
                      • Instruction Fuzzy Hash: 9ED0C977B141409BDB60E7B9AE8945A73A8EB5132A7284833E902E2092E179C8428629

                      Non-executed Functions

                      Function 0040496A Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481windowmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003F9), ref: 00404982
                      • GetDlgItem.USER32(?,00000408), ref: 0040498D
                      • GlobalAlloc.KERNEL32(00000040,?), ref: 004049D7
                      • LoadBitmapA.USER32(0000006E), ref: 004049EA
                      • SetWindowLongA.USER32(?,000000FC,00404F61), ref: 00404A03
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A17
                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A29
                      • SendMessageA.USER32(?,00001109,00000002), ref: 00404A3F
                      • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A4B
                      • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A5D
                      • DeleteObject.GDI32(00000000), ref: 00404A60
                      • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A8B
                      • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A97
                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B2C
                      • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B57
                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B6B
                      • GetWindowLongA.USER32(?,000000F0), ref: 00404B9A
                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404BA8
                      • ShowWindow.USER32(?,00000005), ref: 00404BB9
                      • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404CB6
                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D1B
                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D30
                      • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D54
                      • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D74
                      • ImageList_Destroy.COMCTL32(?), ref: 00404D89
                      • GlobalFree.KERNEL32(?), ref: 00404D99
                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E12
                      • SendMessageA.USER32(?,00001102,?,?), ref: 00404EBB
                      • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404ECA
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EEA
                      • ShowWindow.USER32(?,00000000), ref: 00404F38
                      • GetDlgItem.USER32(?,000003FE), ref: 00404F43
                      • ShowWindow.USER32(00000000), ref: 00404F4A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                      • String ID: $M$N$bc
                      • API String ID: 1638840714-3492152879
                      • Opcode ID: f7291f257b874b0818fffeb1d93f9e7d903c6154b0b227af7a2165f9e719c2a2
                      • Instruction ID: 94c02b519995307d0575bfc79bc736aa379ccf6f42829edfa425784e8d0f5588
                      • Opcode Fuzzy Hash: f7291f257b874b0818fffeb1d93f9e7d903c6154b0b227af7a2165f9e719c2a2
                      • Instruction Fuzzy Hash: 8D0272B0A00209AFEB20DF95CC85AAE7BB5FB84315F14417AF610B62E1C7799D41CF58
                      Function 0040512B Relevance: 54.3, APIs: 36, Instructions: 280windowclipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,00000403), ref: 0040518B
                      • GetDlgItem.USER32(?,000003EE), ref: 0040519A
                      • GetClientRect.USER32(?,?), ref: 004051D7
                      • GetSystemMetrics.USER32(00000015), ref: 004051DF
                      • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405200
                      • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405211
                      • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405224
                      • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405232
                      • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405245
                      • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405267
                      • ShowWindow.USER32(?,00000008), ref: 0040527B
                      • GetDlgItem.USER32(?,000003EC), ref: 0040529C
                      • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004052AC
                      • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052C5
                      • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004052D1
                      • GetDlgItem.USER32(?,000003F8), ref: 004051A9
                        • Part of subcall function 00404025: SendMessageA.USER32(00000028,?,00000001,00403E56), ref: 00404033
                      • GetDlgItem.USER32(?,000003EC), ref: 004052ED
                      • CreateThread.KERNEL32(00000000,00000000,Function_000050BF,00000000), ref: 004052FB
                      • CloseHandle.KERNEL32(00000000), ref: 00405302
                      • ShowWindow.USER32(00000000), ref: 00405325
                      • ShowWindow.USER32(?,00000008), ref: 0040532C
                      • ShowWindow.USER32(00000008), ref: 00405372
                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053A6
                      • CreatePopupMenu.USER32 ref: 004053B7
                      • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004053CC
                      • GetWindowRect.USER32(?,000000FF), ref: 004053EC
                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405405
                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405441
                      • OpenClipboard.USER32(00000000), ref: 00405451
                      • EmptyClipboard.USER32 ref: 00405457
                      • GlobalAlloc.KERNEL32(00000042,?), ref: 00405460
                      • GlobalLock.KERNEL32(00000000), ref: 0040546A
                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040547E
                      • GlobalUnlock.KERNEL32(00000000), ref: 00405497
                      • SetClipboardData.USER32(00000001,00000000), ref: 004054A2
                      • CloseClipboard.USER32 ref: 004054A8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                      • String ID:
                      • API String ID: 590372296-0
                      • Opcode ID: db4a1b343d30ab58aba2c89c4ba8ad0d396a108bc629cdbd8083c2b566d099e5
                      • Instruction ID: c983659ef0f809a7ed2f8118ffc5d7026d23929102712200d8c14256e8d34f28
                      • Opcode Fuzzy Hash: db4a1b343d30ab58aba2c89c4ba8ad0d396a108bc629cdbd8083c2b566d099e5
                      • Instruction Fuzzy Hash: 33A16A71900208BFEB21AFA0DD89AAE7F79FB08355F10407AFA04B61A0C7745E51DF69
                      Function 0040442E Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 268stringCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003FB), ref: 0040447D
                      • SetWindowTextA.USER32(00000000,?), ref: 004044A7
                      • SHBrowseForFolderA.SHELL32(?,00428C18,?), ref: 00404558
                      • CoTaskMemFree.OLE32(00000000), ref: 00404563
                      • lstrcmpiA.KERNEL32(exec,00429840), ref: 00404595
                      • lstrcatA.KERNEL32(?,exec), ref: 004045A1
                      • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045B3
                        • Part of subcall function 004054FA: GetDlgItemTextA.USER32(?,?,00000400,004045EA), ref: 0040550D
                        • Part of subcall function 00405F6D: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403213,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 00405FC5
                        • Part of subcall function 00405F6D: CharNextA.USER32(?,?,?,00000000), ref: 00405FD2
                        • Part of subcall function 00405F6D: CharNextA.USER32(?,"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403213,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 00405FD7
                        • Part of subcall function 00405F6D: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403213,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 00405FE7
                      • GetDiskFreeSpaceA.KERNEL32(00428810,?,?,0000040F,?,00428810,00428810,?,00000000,00428810,?,?,000003FB,?), ref: 0040466E
                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404689
                      • SetDlgItemTextA.USER32(00000000,00000400,00428800), ref: 0040470F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                      • String ID: A$C:\Program Files (x86)\Common Files\System$exec$bc
                      • API String ID: 2246997448-1532295069
                      • Opcode ID: 5c4d0fd2dd52e6622203484391cf5734f29751ad6adcc5f7cffda94b6d557b53
                      • Instruction ID: a985f6ccfd0261342b01f1faac9c8340d3014d2c2e79ba092426216768d8968a
                      • Opcode Fuzzy Hash: 5c4d0fd2dd52e6622203484391cf5734f29751ad6adcc5f7cffda94b6d557b53
                      • Instruction Fuzzy Hash: 579171B1900219ABDB11AFA1CC85AAF77B8EF85304F14843BFA01B72D1D77C99418B69
                      Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133comCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208C
                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407480,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402145
                      Strings
                      • C:\Users\user\AppData\Local\Temp, xrefs: 004020C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: ByteCharCreateInstanceMultiWide
                      • String ID: C:\Users\user\AppData\Local\Temp
                      • API String ID: 123533781-1116454783
                      • Opcode ID: 059e5fcf878a4d83643d82d57c2a6fdd893572cd735810adc4745e2843cf6e4e
                      • Instruction ID: 06e27c1c237e839ab3931de55f675ada4e94dfe57cabc24de182afbe019da930
                      • Opcode Fuzzy Hash: 059e5fcf878a4d83643d82d57c2a6fdd893572cd735810adc4745e2843cf6e4e
                      • Instruction Fuzzy Hash: 37416BB5A00205BFCB00EFA4CD88E9D7BB6AF88314F204169F905FB2E5DA79D941DB54
                      Function 00402647 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402656
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: FileFindFirst
                      • String ID:
                      • API String ID: 1974802433-0
                      • Opcode ID: e2c29bf3b74890bd2d8e82593d009482b0f818b419642b3dddb814fa8f32a07a
                      • Instruction ID: 1257ce33afb898117e497a897a839a8d3ac7a273d73c9821b28d94626034675e
                      • Opcode Fuzzy Hash: e2c29bf3b74890bd2d8e82593d009482b0f818b419642b3dddb814fa8f32a07a
                      • Instruction Fuzzy Hash: A1F0A0726041109AD700E7B49D4DAFEB368DB11328F6045BBE101B20C1D2B84A429A2A
                      Function 0040642D Relevance: .3, Instructions: 334COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cf8867d6101bc02cd333741bc16d3809633286117b08d7bbb21ed50c009bfa04
                      • Instruction ID: 385806c2739668645140c01f5b6ff000e6f031623af75186b4553f70e43bef22
                      • Opcode Fuzzy Hash: cf8867d6101bc02cd333741bc16d3809633286117b08d7bbb21ed50c009bfa04
                      • Instruction Fuzzy Hash: F8E1A871900709DFDB24CF58D890BAEBBF5EB44305F11892EE897A72C1D738AA95CB04
                      Function 00406C04 Relevance: .3, Instructions: 300COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 717e07093579f903d80a4def8278ecd40f538f9974cf9c2e968396f4138be9d4
                      • Instruction ID: 50e45ea88b018c9f5834e1b61ece485cc8bb7ae0d4a59570cc8b0277ca60f793
                      • Opcode Fuzzy Hash: 717e07093579f903d80a4def8278ecd40f538f9974cf9c2e968396f4138be9d4
                      • Instruction Fuzzy Hash: B6C14A31A00259CBDF14CF68D4905EEB7B2FF98314F26826AD85677384D738A952CF94
                      Function 00403B1D Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B59
                      • ShowWindow.USER32(?), ref: 00403B76
                      • DestroyWindow.USER32 ref: 00403B8A
                      • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA6
                      • GetDlgItem.USER32(?,?), ref: 00403BC7
                      • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BDB
                      • IsWindowEnabled.USER32(00000000), ref: 00403BE2
                      • GetDlgItem.USER32(?,00000001), ref: 00403C90
                      • GetDlgItem.USER32(?,00000002), ref: 00403C9A
                      • SetClassLongA.USER32(?,000000F2,?), ref: 00403CB4
                      • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D05
                      • GetDlgItem.USER32(?,00000003), ref: 00403DAB
                      • ShowWindow.USER32(00000000,?), ref: 00403DCC
                      • EnableWindow.USER32(?,?), ref: 00403DDE
                      • EnableWindow.USER32(?,?), ref: 00403DF9
                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E0F
                      • EnableMenuItem.USER32(00000000), ref: 00403E16
                      • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E2E
                      • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E41
                      • lstrlenA.KERNEL32(00429840,?,00429840,rexzxxkPJ 1.0.1 Setup), ref: 00403E6A
                      • SetWindowTextA.USER32(?,00429840), ref: 00403E79
                      • ShowWindow.USER32(?,0000000A), ref: 00403FAD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                      • String ID: rexzxxkPJ 1.0.1 Setup
                      • API String ID: 184305955-2013915387
                      • Opcode ID: f639e170c4e6dd51d34706c480f295068b31556b66e9830156e1af4b59dfc1ab
                      • Instruction ID: 53ea47a7efbd7011bfbbff5794cda1716021bb7e263f9c699cdd2b596dec6799
                      • Opcode Fuzzy Hash: f639e170c4e6dd51d34706c480f295068b31556b66e9830156e1af4b59dfc1ab
                      • Instruction Fuzzy Hash: C0C1B471A04205ABDB216F61ED85E2B7EBDFB4570AF50043EF601B11F1C739A9429B2E
                      Function 00404139 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON
                      Download Yara Rule
                      APIs
                      • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041C4
                      • GetDlgItem.USER32(00000000,000003E8), ref: 004041D8
                      • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041F6
                      • GetSysColor.USER32(?), ref: 00404207
                      • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404216
                      • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404225
                      • lstrlenA.KERNEL32(?), ref: 00404228
                      • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404237
                      • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040424C
                      • GetDlgItem.USER32(?,0000040A), ref: 004042AE
                      • SendMessageA.USER32(00000000), ref: 004042B1
                      • GetDlgItem.USER32(?,000003E8), ref: 004042DC
                      • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040431C
                      • LoadCursorA.USER32(00000000,00007F02), ref: 0040432B
                      • SetCursor.USER32(00000000), ref: 00404334
                      • ShellExecuteA.SHELL32(0000070B,open,0042D360,00000000,00000000,00000001), ref: 00404347
                      • LoadCursorA.USER32(00000000,00007F00), ref: 00404354
                      • SetCursor.USER32(00000000), ref: 00404357
                      • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404383
                      • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404397
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                      • String ID: N$exec$open$bc
                      • API String ID: 3615053054-1791639287
                      • Opcode ID: f8980493e5e3225011cd1fb1c45d36850de4dea6f25672baad3d2426d56682f0
                      • Instruction ID: 51a918f93d9ce22823ec9901a893aadba5c4039dfb7bed43c269814a28128686
                      • Opcode Fuzzy Hash: f8980493e5e3225011cd1fb1c45d36850de4dea6f25672baad3d2426d56682f0
                      • Instruction Fuzzy Hash: D06195B1A40205BFEB109F61DC45F6A7B69FB84704F10803AFB04BA2D1C7B8A951CF99
                      Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                      Download Yara Rule
                      APIs
                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                      • BeginPaint.USER32(?,?), ref: 00401047
                      • GetClientRect.USER32(?,?), ref: 0040105B
                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                      • DeleteObject.GDI32(?), ref: 004010ED
                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                      • SelectObject.GDI32(00000000,?), ref: 00401140
                      • DrawTextA.USER32(00000000,rexzxxkPJ 1.0.1 Setup,000000FF,00000010,00000820), ref: 00401156
                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                      • DeleteObject.GDI32(?), ref: 00401165
                      • EndPaint.USER32(?,?), ref: 0040116E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                      • String ID: F$rexzxxkPJ 1.0.1 Setup
                      • API String ID: 941294808-2006148029
                      • Opcode ID: 0738112f3730f5723303f5552d97b7ef5019c829863fd91e70d9a5e5ead5b819
                      • Instruction ID: 8dbc0a59f5899f6e6c9cc61e46a5ff1855a52f4dc82cfb90a20df61dd310464c
                      • Opcode Fuzzy Hash: 0738112f3730f5723303f5552d97b7ef5019c829863fd91e70d9a5e5ead5b819
                      • Instruction Fuzzy Hash: E9419A71804249AFCB05CF95CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5
                      Function 00405A3A Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpyA.KERNEL32(0042B5D0,NUL,?,00000000,?,00000000,?,00405BDE,?,?,00000001,00405781,?,00000000,000000F1,?), ref: 00405A4A
                      • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405BDE,?,?,00000001,00405781,?,00000000,000000F1,?), ref: 00405A6E
                      • GetShortPathNameA.KERNEL32(00000000,0042B5D0,00000400), ref: 00405A77
                        • Part of subcall function 004058F8: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B27,00000000,[Rename],00000000,00000000,00000000), ref: 00405908
                        • Part of subcall function 004058F8: lstrlenA.KERNEL32(00405B27,?,00000000,00405B27,00000000,[Rename],00000000,00000000,00000000), ref: 0040593A
                      • GetShortPathNameA.KERNEL32(?,0042B9D0,00000400), ref: 00405A94
                      • wsprintfA.USER32 ref: 00405AB2
                      • GetFileSize.KERNEL32(00000000,00000000,0042B9D0,C0000000,00000004,0042B9D0,?,?,?,?,?), ref: 00405AED
                      • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405AFC
                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B34
                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,0042B1D0,00000000,-0000000A,00409384,00000000,[Rename],00000000,00000000,00000000), ref: 00405B8A
                      • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405B9C
                      • GlobalFree.KERNEL32(00000000), ref: 00405BA3
                      • CloseHandle.KERNEL32(00000000), ref: 00405BAA
                        • Part of subcall function 00405993: GetFileAttributesA.KERNELBASE(00000003,00402CBE,C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe,80000000,00000003), ref: 00405997
                        • Part of subcall function 00405993: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059B9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                      • String ID: %s=%s$NUL$[Rename]
                      • API String ID: 1265525490-4148678300
                      • Opcode ID: 5bf9e00f5a1fc2c9505d78977265aac8eba7583d21133ff88468906d8ce9a7a9
                      • Instruction ID: eaad65bf7fcdd4cb3231e8f38f2fc3e053c860e0976feede91e5ffd0fc70beee
                      • Opcode Fuzzy Hash: 5bf9e00f5a1fc2c9505d78977265aac8eba7583d21133ff88468906d8ce9a7a9
                      • Instruction Fuzzy Hash: 5641F071604B19BFD2206B219C49F6B3A6CDB45754F14013ABE01F62D2DABCB8008EBD
                      Function 00405F6D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403213,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 00405FC5
                      • CharNextA.USER32(?,?,?,00000000), ref: 00405FD2
                      • CharNextA.USER32(?,"C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403213,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 00405FD7
                      • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403213,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 00405FE7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Char$Next$Prev
                      • String ID: "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                      • API String ID: 589700163-2076470434
                      • Opcode ID: 629f8b76d7fa33355aab091ca9466ab0ab0c1990dabb568f1c5d9d4edaa7ed44
                      • Instruction ID: 2355fcfbcf55587157e02bf53b6e953ab02842200697eca98be5dc22fa6b9f54
                      • Opcode Fuzzy Hash: 629f8b76d7fa33355aab091ca9466ab0ab0c1990dabb568f1c5d9d4edaa7ed44
                      • Instruction Fuzzy Hash: ED11B251808B922EFB3216240C44B7B7F9D8B56764F18007BE9C5722C2D67C9C429B6D
                      Function 00404057 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongA.USER32(?,000000EB), ref: 00404074
                      • GetSysColor.USER32(00000000), ref: 00404090
                      • SetTextColor.GDI32(?,00000000), ref: 0040409C
                      • SetBkMode.GDI32(?,?), ref: 004040A8
                      • GetSysColor.USER32(?), ref: 004040BB
                      • SetBkColor.GDI32(?,?), ref: 004040CB
                      • DeleteObject.GDI32(?), ref: 004040E5
                      • CreateBrushIndirect.GDI32(?), ref: 004040EF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                      • String ID:
                      • API String ID: 2320649405-0
                      • Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                      • Instruction ID: de5db0f2e7aa64e5c039a5c051c0237f46f02f20d7c590f25a2c42aa1f9c9885
                      • Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                      • Instruction Fuzzy Hash: 1D2165B15047049BC7319F68DD08B4B7BF4AF41714F04C939EA56B26E1C738E944CB65
                      Function 00402685 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004026D9
                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004026F5
                      • GlobalFree.KERNEL32(?), ref: 0040272E
                      • WriteFile.KERNEL32(?,00000000,?,?), ref: 00402740
                      • GlobalFree.KERNEL32(00000000), ref: 00402747
                      • CloseHandle.KERNEL32(?), ref: 0040275F
                      • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402773
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                      • String ID:
                      • API String ID: 3294113728-0
                      • Opcode ID: 18fcc0cd5e847ab45f922e2828fea396be348b23bbb9cacbf8badf7cc224a248
                      • Instruction ID: 28f89918814e7952919769dc9d2faf5f60a6a620a9a166213a58779102186d69
                      • Opcode Fuzzy Hash: 18fcc0cd5e847ab45f922e2828fea396be348b23bbb9cacbf8badf7cc224a248
                      • Instruction Fuzzy Hash: D7318D71C00128BBDF116FA5CD49D9E7A79EF08364F10423AF520B72E1CB795D419BA9
                      Function 00404FED Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(00429020,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405026
                      • lstrlenA.KERNEL32(00402C53,00429020,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405036
                      • lstrcatA.KERNEL32(00429020,00402C53,00402C53,00429020,00000000,00000000,00000000), ref: 00405049
                      • SetWindowTextA.USER32(00429020,00429020), ref: 0040505B
                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405081
                      • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040509B
                      • SendMessageA.USER32(?,00001013,?,00000000), ref: 004050A9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                      • String ID:
                      • API String ID: 2531174081-0
                      • Opcode ID: 934b37008eeb32cd775bf80bb9d3f03e196656e127ddb18de4b190bb6b9af3f2
                      • Instruction ID: 3a2e401d7ec184b76f2d25156f4130faddfe7c559b03862a6a75acdc98b52196
                      • Opcode Fuzzy Hash: 934b37008eeb32cd775bf80bb9d3f03e196656e127ddb18de4b190bb6b9af3f2
                      • Instruction Fuzzy Hash: F0214A71D00518BBDF11AFA5DD84A9FBFA9EF05354F14807AF944B6290C6399E408FA8
                      Function 00402BDC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(00000000,00000000), ref: 00402BF4
                      • GetTickCount.KERNEL32 ref: 00402C12
                      • wsprintfA.USER32 ref: 00402C40
                        • Part of subcall function 00404FED: lstrlenA.KERNEL32(00429020,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405026
                        • Part of subcall function 00404FED: lstrlenA.KERNEL32(00402C53,00429020,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405036
                        • Part of subcall function 00404FED: lstrcatA.KERNEL32(00429020,00402C53,00402C53,00429020,00000000,00000000,00000000), ref: 00405049
                        • Part of subcall function 00404FED: SetWindowTextA.USER32(00429020,00429020), ref: 0040505B
                        • Part of subcall function 00404FED: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405081
                        • Part of subcall function 00404FED: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040509B
                        • Part of subcall function 00404FED: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050A9
                      • CreateDialogParamA.USER32(0000006F,00000000,00402B44,00000000), ref: 00402C64
                      • ShowWindow.USER32(00000000,00000005), ref: 00402C72
                        • Part of subcall function 00402BC0: MulDiv.KERNEL32(00000000,00000064,001157E3), ref: 00402BD5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                      • String ID: ... %d%%
                      • API String ID: 722711167-2449383134
                      • Opcode ID: d7045061835ae5c118d84a5a1d804c8912bbd4c624ada974d2182dc02174ee5c
                      • Instruction ID: 70e68fb34eb55138c5ac1ad2ed2a1dd3129cfca62bad6eb574df8db90ff38656
                      • Opcode Fuzzy Hash: d7045061835ae5c118d84a5a1d804c8912bbd4c624ada974d2182dc02174ee5c
                      • Instruction Fuzzy Hash: A9018470949211EBD721EF65AF4DE5E77A8BB05705B40023BFA01B11E1C6B898429AAF
                      Function 004048B8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004048D3
                      • GetMessagePos.USER32 ref: 004048DB
                      • ScreenToClient.USER32(?,?), ref: 004048F5
                      • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404907
                      • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040492D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Message$Send$ClientScreen
                      • String ID: f
                      • API String ID: 41195575-1993550816
                      • Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                      • Instruction ID: e3052a66e2a813ce5ff767567513ec35f5f511302292c02aadf9a30de2988bd8
                      • Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                      • Instruction Fuzzy Hash: D7014071D00219BAEB01DBA4DC45BFFBBBCAB55711F10416BBA10B61D0C7B469058BA5
                      Function 00402B44 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                      Download Yara Rule
                      APIs
                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5F
                      • wsprintfA.USER32 ref: 00402B93
                      • SetWindowTextA.USER32(?,?), ref: 00402BA3
                      • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Text$ItemTimerWindowwsprintf
                      • String ID: unpacking data: %d%%$verifying installer: %d%%
                      • API String ID: 1451636040-1158693248
                      • Opcode ID: 7eaa0ba3edfa0db2de83caee2e44469d95cb93686b86f98fce9e5858bdacd182
                      • Instruction ID: 3c1eeab82cc43ccb9276da004cf60e91b6c490a85d143de63538be8fe586c9ac
                      • Opcode Fuzzy Hash: 7eaa0ba3edfa0db2de83caee2e44469d95cb93686b86f98fce9e5858bdacd182
                      • Instruction Fuzzy Hash: 34F01270900108ABDF205F61CD09BAE3B79AB00345F00803AFA16B51D1D7B8AA558B99
                      Function 00403A50 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      • SetWindowTextA.USER32(00000000,rexzxxkPJ 1.0.1 Setup), ref: 00403AE8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: TextWindow
                      • String ID: "C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe"$1033$rexzxxkPJ 1.0.1 Setup$bc
                      • API String ID: 530164218-3996451487
                      • Opcode ID: e4407acd9618b2c85f78438eb24863b6a6f92f7f6bb81616c3fdfdfb748f5935
                      • Instruction ID: 414b5a6052cb1ae337a92198bffe37b6042da8f02f20dfd2a7eb41280a6a55a2
                      • Opcode Fuzzy Hash: e4407acd9618b2c85f78438eb24863b6a6f92f7f6bb81616c3fdfdfb748f5935
                      • Instruction Fuzzy Hash: 2E11F631B006009BD734EF16DC90A777BACEF89715768413BAC41A73E1C639AD02CE98
                      Function 0040231E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235C
                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr5B39.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237C
                      • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsr5B39.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B5
                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsr5B39.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402492
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CloseCreateValuelstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp
                      • API String ID: 1356686001-1411653193
                      • Opcode ID: 99ebcc1765d7e3b402786ba91e6664a65b6016250ec3f0d148f83aab9d65e161
                      • Instruction ID: 1f5db9bd5f939a3f32998ffdb77c595a279a4f3afdada8ba944cc8dfae5e1f01
                      • Opcode Fuzzy Hash: 99ebcc1765d7e3b402786ba91e6664a65b6016250ec3f0d148f83aab9d65e161
                      • Instruction Fuzzy Hash: C3119DB1E00118BFEB10EBA5DE89EAF767CEB50358F10403AF901B61D0D6B85D01A668
                      Function 00402A3F Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A60
                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9C
                      • RegCloseKey.ADVAPI32(?), ref: 00402AA5
                      • RegCloseKey.ADVAPI32(?), ref: 00402ACA
                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Close$DeleteEnumOpen
                      • String ID:
                      • API String ID: 1912718029-0
                      • Opcode ID: a1378c96d0ace0584e790a15ddc50a75691848f0abec855d431c9e20c6b73526
                      • Instruction ID: fc0acb0b172ae1429d66c6b86649eba99a6fff3c46f16f433e740cda5bcb4aeb
                      • Opcode Fuzzy Hash: a1378c96d0ace0584e790a15ddc50a75691848f0abec855d431c9e20c6b73526
                      • Instruction Fuzzy Hash: DE114F71A00108FFDF21AF91DE49EAF7B6DEB04348F104076F906A11A0DBB59E51AF99
                      Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?), ref: 00401CD0
                      • GetClientRect.USER32(00000000,?), ref: 00401CDD
                      • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
                      • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
                      • DeleteObject.GDI32(00000000), ref: 00401D1B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                      • String ID:
                      • API String ID: 1849352358-0
                      • Opcode ID: c3238d638ca47a01fab81b15d8ba5cb6b9ce71ad1d42e1ff171e5b49318078b0
                      • Instruction ID: a4c43192c0467a3123309b8198090fbb37a329db1c92fb9fafa8fdb5af3769d6
                      • Opcode Fuzzy Hash: c3238d638ca47a01fab81b15d8ba5cb6b9ce71ad1d42e1ff171e5b49318078b0
                      • Instruction Fuzzy Hash: 9FF01DB2E04115AFE705EBA4DE88DAFB7BCEB44305B004576F602F21A1D7789D428B79
                      Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(?), ref: 00401D29
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
                      • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
                      • ReleaseDC.USER32(?,00000000), ref: 00401D56
                      • CreateFontIndirectA.GDI32(0040A7E0), ref: 00401DA1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CapsCreateDeviceFontIndirectRelease
                      • String ID:
                      • API String ID: 3808545654-0
                      • Opcode ID: 1e233f8c13d5498466483b854d548881fceb2bd6de256b4527ca22e28ef2c2c9
                      • Instruction ID: da7bb56ea502aa77b18efdb84c1f5c624c8de17954414a2b1f0212dfc26c4c99
                      • Opcode Fuzzy Hash: 1e233f8c13d5498466483b854d548881fceb2bd6de256b4527ca22e28ef2c2c9
                      • Instruction Fuzzy Hash: 49018671944381AFEB019BB0AE0AF9B3F74E715305F108475F541BB2E2C67841519B2F
                      Function 004047D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(00429840,00429840,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046F6,000000DF,0000040F,00000400,00000000), ref: 00404864
                      • wsprintfA.USER32 ref: 0040486C
                      • SetDlgItemTextA.USER32(?,00429840), ref: 0040487F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: ItemTextlstrlenwsprintf
                      • String ID: %u.%u%s%s
                      • API String ID: 3540041739-3551169577
                      • Opcode ID: d4a7d76f60fb40650426680e7d3c30e9ea1e5faecba8ca4e6f37d4520466ec9a
                      • Instruction ID: dfccfdc295d6f1542ce50cba82854f1bf2fa16bd6df5cd2b383a062c159485d0
                      • Opcode Fuzzy Hash: d4a7d76f60fb40650426680e7d3c30e9ea1e5faecba8ca4e6f37d4520466ec9a
                      • Instruction Fuzzy Hash: D611E273A0012437DF00666E9C45EEF3689CBC6334F14423BFA25BA1D1E9389C5286A9
                      Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
                      • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: MessageSend$Timeout
                      • String ID: !
                      • API String ID: 1777923405-2657877971
                      • Opcode ID: 670b9d3481779879a61fdb7e50f7b7ad6975e14330bdfdbb80a6b36830ac16d9
                      • Instruction ID: e2f1b82ef85d0a7b352f0d8032f3ae05884065fdb553dbebaf2da816bdec149a
                      • Opcode Fuzzy Hash: 670b9d3481779879a61fdb7e50f7b7ad6975e14330bdfdbb80a6b36830ac16d9
                      • Instruction Fuzzy Hash: AA21B0B1E04208AFEF05AFB4CD8AAAE7FB5EB40304F14457EF541BA1E1D6B88940D718
                      Function 00405792 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403225,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 00405798
                      • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403225,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,756F3410,004033ED), ref: 004057A1
                      • lstrcatA.KERNEL32(?,00409014), ref: 004057B2
                      Strings
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405792
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CharPrevlstrcatlstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\
                      • API String ID: 2659869361-1881609536
                      • Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                      • Instruction ID: 69d7bfbe3cc4b08f8c819261aae100dc63bf3820673822b7b919577a20acd41e
                      • Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                      • Instruction Fuzzy Hash: 88D0A9A26069307AE21232158C09E9B2A0CCF92300B084023F600B32A2C63C0D418BFE
                      Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
                      • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
                      • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
                      • VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B
                        • Part of subcall function 00405C60: wsprintfA.USER32 ref: 00405C6D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                      • String ID:
                      • API String ID: 1404258612-0
                      • Opcode ID: fe0dd0800c940248aeb5218b748cfdad3676ab4ff6268093736144912795c8b1
                      • Instruction ID: 6afbfb96762904efa9844dd0cb31b1024c7370471c43994c4e0951eaa9f88fe4
                      • Opcode Fuzzy Hash: fe0dd0800c940248aeb5218b748cfdad3676ab4ff6268093736144912795c8b1
                      • Instruction Fuzzy Hash: 30115171900109BEDB01EFA5D985DDEBBB9EF04344F14807AF505F61A1D7388A54DB28
                      Function 0040582B Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • CharNextA.USER32(?,?,C:\,?,00405897,C:\,C:\,?,?,756F2EE0,004055E2,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405839
                      • CharNextA.USER32(00000000), ref: 0040583E
                      • CharNextA.USER32(00000000), ref: 00405852
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CharNext
                      • String ID: C:\
                      • API String ID: 3213498283-3404278061
                      • Opcode ID: 180c61c53d858fd4c5624aa8e60612970d78334aec32c9cd585625149e8e1fa8
                      • Instruction ID: d9974eba8534988974cce70dffd02678f4dfa8fcf38f4670d64a620ade101fec
                      • Opcode Fuzzy Hash: 180c61c53d858fd4c5624aa8e60612970d78334aec32c9cd585625149e8e1fa8
                      • Instruction Fuzzy Hash: 4EF06253904F556AFB3276660C44F775B88CB55351F18847BEA40662C1D27CC8614F9A
                      Function 00404F61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindowVisible.USER32(?), ref: 00404F90
                      • CallWindowProcA.USER32(?,?,?,?), ref: 00404FE1
                        • Part of subcall function 0040403C: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040404E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: Window$CallMessageProcSendVisible
                      • String ID:
                      • API String ID: 3748168415-3916222277
                      • Opcode ID: e1b23bd374e624fcdaee918818d0870e0c8ffbe1b239336057bde6f1ac6bd2c9
                      • Instruction ID: 2f9c247dbb4b24d549095fc4690c93bf7eec23db840a2033e0dfdc0868fdd817
                      • Opcode Fuzzy Hash: e1b23bd374e624fcdaee918818d0870e0c8ffbe1b239336057bde6f1ac6bd2c9
                      • Instruction Fuzzy Hash: 220188B1504209AFDF205F11DC80A5B3766E7C5755F544037FB00752D1C77A9C619BAE
                      Function 004024D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(00000000,00000011), ref: 004024F1
                      • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dll,00000000,?,?,00000000,00000011), ref: 00402510
                      Strings
                      • C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dll, xrefs: 004024DF, 00402504
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: FileWritelstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\nsr5B39.tmp\ExecDos.dll
                      • API String ID: 427699356-85776191
                      • Opcode ID: e9b5f5ea441071d4f19dd7c37651e3c30e9b9509c72ea6411daf9749e3b008ac
                      • Instruction ID: 19b94e73477625e27dad0fae6f9ec8484ccc6877a9bf77660bc7cdd7a381337f
                      • Opcode Fuzzy Hash: e9b5f5ea441071d4f19dd7c37651e3c30e9b9509c72ea6411daf9749e3b008ac
                      • Instruction Fuzzy Hash: C4F0E272E14244FFEB10EBB08E4A9EB3268EB00308F24443BB142F60C2D5BC4941A76E
                      Function 004054B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042B048,Error launching installer), ref: 004054DA
                      • CloseHandle.KERNEL32(?), ref: 004054E7
                      Strings
                      • Error launching installer, xrefs: 004054C8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CloseCreateHandleProcess
                      • String ID: Error launching installer
                      • API String ID: 3712363035-66219284
                      • Opcode ID: c82750a759a67e79c34c3a54aa1659eb4846bd53169e64852319e1b2d12ec80a
                      • Instruction ID: 3f803119d0532a69338aae9307032d935ac3012ab76985d7ca226e317d20b44a
                      • Opcode Fuzzy Hash: c82750a759a67e79c34c3a54aa1659eb4846bd53169e64852319e1b2d12ec80a
                      • Instruction Fuzzy Hash: 0BE0ECB4A00209ABDB119F64ED09AAB7BBCEB00305B408921BD15E2151D778E8148BAD
                      Function 004057D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CE7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe,C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe,80000000,00000003), ref: 004057DF
                      • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CE7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe,C:\Users\user\Desktop\#U8fdd#U89c4#U540d#U5355.exe,80000000,00000003), ref: 004057ED
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: CharPrevlstrlen
                      • String ID: C:\Users\user\Desktop
                      • API String ID: 2709904686-4267323751
                      • Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                      • Instruction ID: 76011171f6d0e6950088f0aa4b3629fee4e5a762b8920e757ffbe5f750ee8066
                      • Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                      • Instruction Fuzzy Hash: F8D0C7A341DD706EF703A2149C04B9F6A48DF56700F194466F180A7191C6785D415BEE
                      Function 004058F8 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B27,00000000,[Rename],00000000,00000000,00000000), ref: 00405908
                      • lstrcmpiA.KERNEL32(00405B27,00000000), ref: 00405920
                      • CharNextA.USER32(00405B27,?,00000000,00405B27,00000000,[Rename],00000000,00000000,00000000), ref: 00405931
                      • lstrlenA.KERNEL32(00405B27,?,00000000,00405B27,00000000,[Rename],00000000,00000000,00000000), ref: 0040593A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1485657622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1485604753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485728938.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485793484.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1485969593.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_#U8fdd#U89c4#U540d#U5355.jbxd
                      Similarity
                      • API ID: lstrlen$CharNextlstrcmpi
                      • String ID:
                      • API String ID: 190613189-0
                      • Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
                      • Instruction ID: b7106a7191636f941c7e6f31b9612d0bb0416be57b79a4528272a484e6569b35
                      • Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
                      • Instruction Fuzzy Hash: 97F0C232604418FFC7129FA5DC00D9EBBA8EF16360B2100AAE800F7210D274EF019FA9

                      Execution Graph

                      Execution Coverage:8.2%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:1.5%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:37
                      execution_graph 28127 1f2b3c 28128 1f2d28 28127->28128 28129 1f2b44 28127->28129 28129->28128 28174 1f26d1 VariantClear 28129->28174 28131 1f2b9d 28131->28128 28175 1f26d1 VariantClear 28131->28175 28133 1f2bb8 28133->28128 28176 1f26d1 VariantClear 28133->28176 28135 1f2bd1 28135->28128 28177 1f26d1 VariantClear 28135->28177 28137 1f2bea 28137->28128 28178 1f26d1 VariantClear 28137->28178 28139 1f2c03 28139->28128 28179 1f26d1 VariantClear 28139->28179 28141 1f2c1c 28141->28128 28180 1d3889 malloc _CxxThrowException 28141->28180 28143 1f2c2f 28181 1d28d9 28143->28181 28145 1f2c5c 28149 1f2cdc 28145->28149 28150 1f2c8c 28145->28150 28168 1f2cd7 28145->28168 28146 1f2c3a 28146->28145 28184 1d2a18 28146->28184 28200 1ebf15 CharUpperW 28149->28200 28153 1d28d9 2 API calls 28150->28153 28151 1f2d20 28204 1d1ab0 free 28151->28204 28155 1f2c94 28153->28155 28157 1d28d9 2 API calls 28155->28157 28156 1f2ce7 28201 1e7982 4 API calls 2 library calls 28156->28201 28159 1f2ca2 28157->28159 28190 1e7982 4 API calls 2 library calls 28159->28190 28160 1f2d03 28162 1d2a7c 3 API calls 28160->28162 28164 1f2d0f 28162->28164 28163 1f2cb3 28191 1d2a7c 28163->28191 28202 1d1ab0 free 28164->28202 28203 1d1ab0 free 28168->28203 28170 1f2cc7 28198 1d1ab0 free 28170->28198 28172 1f2ccf 28199 1d1ab0 free 28172->28199 28174->28131 28175->28133 28176->28135 28177->28137 28178->28139 28179->28141 28180->28143 28205 1d1a89 malloc 28181->28205 28185 1d2a2a 28184->28185 28186 1d1a89 ctype 2 API calls 28185->28186 28187 1d2a4e 28185->28187 28188 1d2a44 28186->28188 28187->28145 28187->28187 28208 1d1ab0 free 28188->28208 28190->28163 28192 1d2a8c 28191->28192 28193 1d2a88 28191->28193 28192->28193 28194 1d1a89 ctype 2 API calls 28192->28194 28197 1d1ab0 free 28193->28197 28195 1d2aa0 28194->28195 28209 1d1ab0 free 28195->28209 28197->28170 28198->28172 28199->28168 28200->28156 28201->28160 28202->28168 28203->28151 28204->28128 28206 1d1aae 28205->28206 28207 1d1a9a _CxxThrowException 28205->28207 28206->28146 28207->28206 28208->28187 28209->28193 28210 1d687e 28213 1d6842 28210->28213 28218 1d63be 28213->28218 28215 1d685f 28232 1d66a9 28215->28232 28219 1d63c8 __EH_prolog 28218->28219 28248 1d6470 28219->28248 28221 1d63d3 28222 1d640d 28221->28222 28223 1d63f8 CreateFileW 28221->28223 28231 1d6456 28221->28231 28224 1d28d9 2 API calls 28222->28224 28222->28231 28223->28222 28225 1d641f 28224->28225 28251 1d7635 28225->28251 28228 1d644e 28256 1d1ab0 free 28228->28256 28229 1d6439 CreateFileW 28229->28228 28231->28215 28233 1d683c 28232->28233 28234 1d66cc 28232->28234 28234->28233 28235 1d66d5 DeviceIoControl 28234->28235 28236 1d6776 28235->28236 28240 1d66f9 28235->28240 28237 1d677f DeviceIoControl 28236->28237 28242 1d67a4 28236->28242 28238 1d67b2 DeviceIoControl 28237->28238 28237->28242 28239 1d67d4 DeviceIoControl 28238->28239 28238->28242 28239->28242 28240->28236 28243 1d6737 28240->28243 28242->28233 28381 1d659d 5 API calls ctype 28242->28381 28380 1d7dcd GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 28243->28380 28244 1d6835 28382 1d658a SetFilePointer GetLastError 28244->28382 28247 1d6760 28247->28236 28249 1d647a FindCloseChangeNotification 28248->28249 28250 1d6485 28248->28250 28249->28250 28250->28221 28257 1d7664 28251->28257 28253 1d6435 28253->28228 28253->28229 28255 1d2a18 3 API calls 28255->28253 28256->28231 28259 1d766e __EH_prolog 28257->28259 28258 1d7640 28258->28253 28258->28255 28259->28258 28260 1d775f 28259->28260 28266 1d76c5 28259->28266 28261 1d7807 28260->28261 28262 1d7773 28260->28262 28263 1d796e 28261->28263 28265 1d781f 28261->28265 28262->28265 28269 1d7782 28262->28269 28367 1d291c malloc _CxxThrowException 28263->28367 28268 1d28d9 2 API calls 28265->28268 28266->28258 28344 1d291c malloc _CxxThrowException 28266->28344 28267 1d797a 28368 1d291c malloc _CxxThrowException 28267->28368 28271 1d7827 28268->28271 28352 1d291c malloc _CxxThrowException 28269->28352 28357 1d7a3b malloc _CxxThrowException free GetCurrentDirectoryW 28271->28357 28273 1d76e9 28280 1d7708 28273->28280 28281 1d76fb 28273->28281 28276 1d7836 28277 1d783a 28276->28277 28358 1d708f malloc _CxxThrowException free _CxxThrowException 28276->28358 28366 1d1ab0 free 28277->28366 28278 1d799c 28369 1d7a93 memmove 28278->28369 28346 1d291c malloc _CxxThrowException 28280->28346 28345 1d1ab0 free 28281->28345 28285 1d778b 28353 1d291c malloc _CxxThrowException 28285->28353 28287 1d79a8 28288 1d79ac 28287->28288 28289 1d79c2 28287->28289 28370 1d1ab0 free 28288->28370 28372 1d2c9d malloc _CxxThrowException free _CxxThrowException 28289->28372 28290 1d7719 28347 1d7a93 memmove 28290->28347 28295 1d77b4 28354 1d7a93 memmove 28295->28354 28296 1d79b4 28371 1d1ab0 free 28296->28371 28297 1d7725 28301 1d774f 28297->28301 28348 1d2c61 28297->28348 28298 1d79cf 28303 1d2c61 4 API calls 28298->28303 28351 1d1ab0 free 28301->28351 28302 1d77c0 28305 1d77f7 28302->28305 28355 1d2c9d malloc _CxxThrowException free _CxxThrowException 28302->28355 28308 1d79ea 28303->28308 28356 1d1ab0 free 28305->28356 28314 1d2c61 4 API calls 28308->28314 28309 1d7757 28374 1d1ab0 free 28309->28374 28311 1d77d1 28319 1d2c61 4 API calls 28311->28319 28312 1d28d9 2 API calls 28316 1d78c3 28312->28316 28318 1d79f5 28314->28318 28321 1d78f2 28316->28321 28325 1d78d5 28316->28325 28317 1d2c61 4 API calls 28317->28301 28373 1d1ab0 free 28318->28373 28324 1d77ec 28319->28324 28320 1d7849 28320->28277 28320->28312 28323 1d2a18 3 API calls 28321->28323 28326 1d78f0 28323->28326 28327 1d2c61 4 API calls 28324->28327 28359 1d2c15 malloc _CxxThrowException free _CxxThrowException 28325->28359 28361 1d7a93 memmove 28326->28361 28327->28305 28330 1d78e7 28360 1d2c15 malloc _CxxThrowException free _CxxThrowException 28330->28360 28331 1d7906 28333 1d790a 28331->28333 28334 1d791f 28331->28334 28362 1d2c9d malloc _CxxThrowException free _CxxThrowException 28331->28362 28365 1d1ab0 free 28333->28365 28363 1d7a18 malloc _CxxThrowException 28334->28363 28338 1d792d 28339 1d2c61 4 API calls 28338->28339 28340 1d793a 28339->28340 28364 1d1ab0 free 28340->28364 28342 1d7946 28343 1d2c61 4 API calls 28342->28343 28343->28333 28344->28273 28345->28258 28346->28290 28347->28297 28375 1d2718 28348->28375 28351->28309 28352->28285 28353->28295 28354->28302 28355->28311 28356->28309 28357->28276 28358->28320 28359->28330 28360->28326 28361->28331 28362->28334 28363->28338 28364->28342 28365->28277 28366->28258 28367->28267 28368->28278 28369->28287 28370->28296 28371->28258 28372->28298 28373->28309 28374->28258 28376 1d273d 28375->28376 28377 1d272a 28375->28377 28376->28317 28379 1d2629 malloc _CxxThrowException free _CxxThrowException ctype 28377->28379 28379->28376 28380->28247 28381->28244 28382->28233 28383 202149 28384 20239b 28383->28384 28387 1fb0d3 SetConsoleCtrlHandler 28384->28387 28386 2023a7 28387->28386 28388 1d99d7 28393 1d69f3 28388->28393 28392 1d9a0a 28395 1d6a00 28393->28395 28396 1d6a2c 28395->28396 28398 1d69b9 28395->28398 28397 1d9732 GetLastError 28396->28397 28397->28392 28399 1d69ca WriteFile 28398->28399 28400 1d69c7 28398->28400 28399->28395 28400->28399 28401 1d97b0 28402 1d97bc 28401->28402 28405 1d97d0 28401->28405 28402->28405 28407 1d64f7 28402->28407 28404 1d983a 28412 1d9732 GetLastError 28404->28412 28408 1d651e SetFilePointer 28407->28408 28409 1d6504 28407->28409 28410 1d6542 GetLastError 28408->28410 28411 1d654c 28408->28411 28409->28408 28410->28411 28411->28404 28412->28405 28413 1e00f3 28416 1e00fd __EH_prolog 28413->28416 28414 1e0115 28416->28414 28421 1dffc7 28416->28421 28417 1e020c 28417->28414 28431 1de3f0 28417->28431 28419 1e01fb SetFileSecurityW 28419->28417 28420 1e0188 28420->28414 28420->28417 28420->28419 28422 1dffde 28421->28422 28428 1dffd7 28421->28428 28434 1d698c SetFileTime 28422->28434 28424 1e00af 28441 1d99c8 FindCloseChangeNotification ctype 28424->28441 28426 1e005d 28426->28424 28435 1d6a47 28426->28435 28428->28420 28446 1eef0f 28431->28446 28434->28426 28442 1d6574 28435->28442 28437 1d6a72 28437->28424 28440 1de47a 7 API calls 2 library calls 28437->28440 28440->28424 28443 1d64f7 2 API calls 28442->28443 28444 1d6587 28443->28444 28444->28437 28445 1d6a38 SetEndOfFile 28444->28445 28445->28437 28447 1eef19 __EH_prolog 28446->28447 28448 1eefa9 28447->28448 28451 1eef51 28447->28451 28450 1d8161 VariantClear 28448->28450 28452 1de40c 28450->28452 28453 1d8161 28451->28453 28452->28414 28454 1d8167 28453->28454 28457 1d810b 28453->28457 28454->28452 28455 1d8132 VariantClear 28455->28452 28456 1d8149 28456->28452 28457->28455 28457->28456 28458 1f3011 28459 1f3038 28458->28459 28460 1d8161 VariantClear 28459->28460 28461 1f3079 28460->28461 28462 1f34d1 2 API calls 28461->28462 28463 1f3100 28462->28463 28537 1ee9f5 28463->28537 28470 1d2a7c 3 API calls 28471 1f31e3 28470->28471 28472 1f321c 28471->28472 28473 1f3390 28471->28473 28474 1f3427 28472->28474 28562 1eefc4 28472->28562 28589 1f297d malloc _CxxThrowException free 28473->28589 28592 1d1ab0 free 28474->28592 28476 1f33a2 28479 1d2a7c 3 API calls 28476->28479 28482 1f33b1 28479->28482 28480 1f342f 28593 1d1ab0 free 28480->28593 28590 1d1ab0 free 28482->28590 28484 1f3247 28566 1f3ceb 28484->28566 28486 1f3437 28489 1eabb9 free 28486->28489 28488 1f33b9 28591 1d1ab0 free 28488->28591 28499 1f32e8 28489->28499 28493 1f325e 28575 1d1ab0 free 28493->28575 28494 1f33c1 28496 1eabb9 free 28494->28496 28496->28499 28497 1f3266 28576 1eabb9 28497->28576 28501 1d2a7c malloc _CxxThrowException free 28507 1f2eff 28501->28507 28503 1f32b3 28505 1f32d9 28503->28505 28588 1f297d malloc _CxxThrowException free 28503->28588 28504 1f3ceb 4 API calls 28504->28507 28506 1eabb9 free 28505->28506 28506->28499 28507->28499 28507->28501 28507->28503 28507->28504 28509 1eabb9 free 28507->28509 28512 1f34d1 28507->28512 28524 1f2d3d 28507->28524 28509->28507 28510 1f32ca 28511 1d2a7c 3 API calls 28510->28511 28511->28505 28513 1f34db __EH_prolog 28512->28513 28594 1ea4d9 28513->28594 28516 1ea4d9 2 API calls 28517 1f350b 28516->28517 28518 1d28d9 2 API calls 28517->28518 28519 1f3517 28518->28519 28520 1d28d9 2 API calls 28519->28520 28521 1f3523 28520->28521 28522 1d28d9 2 API calls 28521->28522 28523 1f3532 28522->28523 28523->28507 28525 1f2d47 __EH_prolog 28524->28525 28526 1f2d66 28525->28526 28527 1f2d93 28525->28527 28528 1d1a89 ctype 2 API calls 28526->28528 28529 1d1a89 ctype 2 API calls 28527->28529 28536 1f2d6d 28527->28536 28528->28536 28530 1f2da3 28529->28530 28531 1d2a7c 3 API calls 28530->28531 28532 1f2dd3 28531->28532 28600 1d689f 21 API calls 28532->28600 28534 1f2ddd 28535 1f2de1 GetLastError 28534->28535 28534->28536 28535->28536 28536->28507 28538 1ee9ff __EH_prolog 28537->28538 28552 1eea52 28538->28552 28601 1d2693 malloc _CxxThrowException free _CxxThrowException ctype 28538->28601 28539 1eeaab 28542 1d8161 VariantClear 28539->28542 28540 1eeab8 28541 1eead0 28540->28541 28543 1eeac4 28540->28543 28544 1eeb00 28540->28544 28541->28544 28547 1eeace 28541->28547 28545 1eeab3 28542->28545 28602 1d2b27 malloc _CxxThrowException free SysStringLen ctype 28543->28602 28548 1d8161 VariantClear 28544->28548 28554 1ee7b0 28545->28554 28550 1d8161 VariantClear 28547->28550 28548->28545 28551 1eeaea 28550->28551 28551->28545 28603 1eeb1e 5 API calls __EH_prolog 28551->28603 28552->28539 28552->28540 28552->28545 28555 1ee7d9 28554->28555 28556 1d8161 VariantClear 28555->28556 28557 1ee806 28556->28557 28558 1ea3eb 28557->28558 28559 1ea3fb 28558->28559 28560 1d28d9 2 API calls 28559->28560 28561 1ea418 28560->28561 28561->28470 28563 1eefce __EH_prolog 28562->28563 28564 1d8161 VariantClear 28563->28564 28565 1ef051 28564->28565 28565->28474 28565->28484 28567 1f3cf5 __EH_prolog 28566->28567 28568 1d1a89 ctype 2 API calls 28567->28568 28569 1f3d03 28568->28569 28570 1f3d1a 28569->28570 28607 1f3f4f malloc _CxxThrowException __EH_prolog 28569->28607 28604 1e989f 28570->28604 28574 1d1ab0 free 28574->28493 28575->28497 28577 1eabc3 __EH_prolog 28576->28577 28617 1d1ab0 free 28577->28617 28579 1eabdc 28618 1d1ab0 free 28579->28618 28581 1eabe4 28619 1d1ab0 free 28581->28619 28583 1eabec 28620 1fee2f 28583->28620 28586 1fee2f ctype free 28587 1eabff 28586->28587 28587->28507 28588->28510 28589->28476 28590->28488 28591->28494 28592->28480 28593->28486 28595 1ea4e3 __EH_prolog 28594->28595 28596 1d28d9 2 API calls 28595->28596 28597 1ea510 28596->28597 28598 1d28d9 2 API calls 28597->28598 28599 1ea51b 28598->28599 28599->28516 28600->28534 28601->28552 28602->28547 28603->28545 28608 1e9a5c 28604->28608 28607->28570 28609 1e9a67 28608->28609 28615 1e98a7 28608->28615 28610 1d1a89 ctype 2 API calls 28609->28610 28611 1e9a86 28610->28611 28612 1e9a9f 28611->28612 28613 1e9a90 memcpy 28611->28613 28616 1d1ab0 free 28612->28616 28613->28612 28615->28574 28616->28615 28617->28579 28618->28581 28619->28583 28625 1d1ab0 free 28620->28625 28622 1fee3a 28626 1d1ab0 free 28622->28626 28624 1eabf7 28624->28586 28625->28622 28626->28624 28627 1db70d 28628 1db717 __EH_prolog 28627->28628 28680 1d13e5 28628->28680 28631 1db75e 6 API calls 28635 1db7bc 28631->28635 28633 1db750 _CxxThrowException 28633->28631 28634 1db883 28693 1dba9d 28634->28693 28635->28634 28697 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28635->28697 28641 1db8ac _CxxThrowException 28641->28634 28681 1d13ef __EH_prolog 28680->28681 28698 1ed6f7 28681->28698 28684 1d1428 28686 1d1a89 ctype 2 API calls 28684->28686 28689 1d143d 28686->28689 28687 1d14dc 28687->28631 28696 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28687->28696 28689->28687 28691 1d14ef 28689->28691 28703 1d125e 4 API calls 2 library calls 28689->28703 28704 1d150c 4 API calls 2 library calls 28689->28704 28692 1d2a7c 3 API calls 28691->28692 28692->28687 28705 1d7e8e GetCurrentProcess OpenProcessToken 28693->28705 28696->28633 28697->28641 28699 1ed702 28698->28699 28700 1d141b 28698->28700 28699->28700 28701 1d1ab0 free ctype 28699->28701 28700->28684 28702 1d120b free ctype 28700->28702 28701->28699 28702->28684 28703->28689 28704->28689 28706 1d7eb5 LookupPrivilegeValueW 28705->28706 28709 1d7f0b 28705->28709 28707 1d7efd 28706->28707 28708 1d7ec7 AdjustTokenPrivileges 28706->28708 28711 1d7f00 FindCloseChangeNotification 28707->28711 28708->28707 28710 1d7eed GetLastError 28708->28710 28710->28711 28711->28709 28712 200b34 28713 200b3e __EH_prolog 28712->28713 28714 1d28d9 2 API calls 28713->28714 28715 200b7c 28714->28715 28716 1d28d9 2 API calls 28715->28716 28717 200b88 28716->28717 28718 1d28d9 2 API calls 28717->28718 28719 200bbb 28718->28719 28726 200ac4 28719->28726 28721 200bd5 28730 200c74 28721->28730 28724 1d28d9 2 API calls 28725 200c39 28724->28725 28727 200ace __EH_prolog 28726->28727 28728 1d28d9 2 API calls 28727->28728 28729 200af1 28728->28729 28729->28721 28731 200c7e __EH_prolog 28730->28731 28744 1dce15 malloc _CxxThrowException __EH_prolog 28731->28744 28733 200ca9 28734 1d28d9 2 API calls 28733->28734 28735 200cc4 28734->28735 28736 1d28d9 2 API calls 28735->28736 28737 200ce5 28736->28737 28738 1d28d9 2 API calls 28737->28738 28739 200d06 28738->28739 28740 1d28d9 2 API calls 28739->28740 28741 200d15 28740->28741 28742 1d28d9 2 API calls 28741->28742 28743 200c10 28742->28743 28743->28724 28744->28733 28745 1db045 28747 1db059 28745->28747 28746 1db088 28747->28746 28749 1d94b2 28747->28749 28753 1d94bf 28749->28753 28752 1d96f6 GetLastError 28759 1d94f4 28752->28759 28754 1d9667 28753->28754 28755 1d9631 28753->28755 28756 1d64f7 2 API calls 28753->28756 28758 1d95f7 28753->28758 28753->28759 28760 1d965b 28753->28760 28766 1d96b0 28753->28766 28773 1d68ad ReadFile 28753->28773 28757 1d9685 memcpy 28754->28757 28754->28759 28761 1d64f7 2 API calls 28755->28761 28755->28766 28756->28753 28757->28759 28758->28753 28767 1d970d 28758->28767 28772 204130 VirtualAlloc 28758->28772 28759->28747 28774 1d9732 GetLastError 28760->28774 28764 1d9657 28761->28764 28764->28760 28764->28766 28768 1d68da 28766->28768 28767->28759 28769 1d68e7 28768->28769 28775 1d68ad ReadFile 28769->28775 28771 1d68f8 28771->28752 28771->28759 28772->28758 28773->28753 28774->28759 28775->28771 28776 1ef5a4 28777 1ef617 28776->28777 28779 1ef5ae 28776->28779 28779->28777 28780 1f4c0f 11 API calls 2 library calls 28779->28780 28780->28777 28781 1ff363 28908 201405 28781->28908 28784 1ff389 28912 1dbb17 28784->28912 28787 1ff39b 28788 1ff3c2 GetStdHandle GetConsoleScreenBufferInfo 28787->28788 28789 1ff3d9 28787->28789 28788->28789 28790 1d1a89 ctype 2 API calls 28789->28790 28791 1ff3e6 28790->28791 29021 2008ab 28791->29021 28793 1ff3f9 29025 1ecb3c 28793->29025 28909 201410 fputs 28908->28909 28910 1ff370 28908->28910 28909->28910 28911 201426 fputs 28909->28911 28910->28784 29069 1d1cb4 10 API calls 2 library calls 28910->29069 28911->28910 28913 1dbb50 28912->28913 28914 1dbb33 28912->28914 29147 1dc411 28913->29147 29196 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28914->29196 28917 1dbb42 _CxxThrowException 28917->28913 28920 1dbb87 28922 1d4447 4 API calls 28920->28922 28923 1dbba0 28920->28923 28921 1dbb79 _CxxThrowException 28921->28920 28922->28923 28924 1dbbe8 wcscmp 28923->28924 28928 1dbbfc 28923->28928 28925 1dbc04 28924->28925 28924->28928 29198 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28925->29198 28927 1dbc13 _CxxThrowException 28927->28928 29152 1dd24f 28928->29152 28931 1dd24f 5 API calls 28932 1dbc96 28931->28932 28933 1dbcc4 28932->28933 29199 1dc845 71 API calls 2 library calls 28932->29199 28937 1dbce8 28933->28937 29200 1dc845 71 API calls 2 library calls 28933->29200 28936 1dbdd8 29161 1dc4c7 28936->29161 28937->28936 28938 1dbd9e 28937->28938 29201 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28937->29201 28941 1d2a7c 3 API calls 28938->28941 28945 1dbdb5 28941->28945 28943 1dbe30 28947 1dbe59 28943->28947 28948 1d2a7c 3 API calls 28943->28948 28944 1dbd90 _CxxThrowException 28944->28938 28945->28936 29202 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28945->29202 28946 1d2a7c 3 API calls 28946->28943 29179 1d4447 28947->29179 28948->28947 28952 1dbdca _CxxThrowException 28952->28936 28954 1dbe76 28955 1dc0f8 28954->28955 28956 1dbece 28954->28956 28957 1dc132 28955->28957 28966 1dc31a 28955->28966 29214 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28955->29214 29203 1d4344 14 API calls 28956->29203 29215 1dcc71 10 API calls 2 library calls 28957->29215 28959 1dc379 28961 1dc37e 28959->28961 28962 1dc3cb 28959->28962 29231 1d4344 14 API calls 28961->29231 28965 1dc3d4 _CxxThrowException 28962->28965 29013 1dc07f 28962->29013 28964 1dbf53 29204 1d42f9 6 API calls 28964->29204 28966->28959 28966->29013 29230 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28966->29230 28967 1dc124 _CxxThrowException 28967->28957 28969 1dc145 29216 1dd33c 28969->29216 28971 1dc38b 29232 1d42f9 6 API calls 28971->29232 28975 1dc392 28977 1d4447 4 API calls 28975->28977 28976 1dc36b _CxxThrowException 28976->28959 28977->29013 28978 1dbf5a 28979 1dbf82 28978->28979 29205 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28978->29205 28981 1dbfa7 28979->28981 29206 1dc845 71 API calls 2 library calls 28979->29206 28987 1dbfc9 28981->28987 29207 1dc845 71 API calls 2 library calls 28981->29207 28983 1dc206 28988 1dc2c9 28983->28988 28992 1dc268 28983->28992 29226 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28983->29226 28984 1d2a7c 3 API calls 28989 1dc1dd 28984->28989 28985 1dbf74 _CxxThrowException 28985->28979 28993 1dbfe0 28987->28993 29208 1dc487 malloc _CxxThrowException free memcpy 28987->29208 28990 1dc2e7 28988->28990 28994 1d2a7c 3 API calls 28988->28994 28989->28983 29225 1d2fc1 memmove 28989->29225 28990->29013 29229 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28990->29229 28992->28988 28999 1dc290 28992->28999 29227 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28992->29227 29209 1d4344 14 API calls 28993->29209 28994->28990 28998 1dc25a _CxxThrowException 28998->28992 28999->28988 29228 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 28999->29228 29000 1dbfe9 29210 1e94b0 38 API calls 29000->29210 29006 1dc30c _CxxThrowException 29006->28966 29007 1dc282 _CxxThrowException 29007->28999 29008 1dbff0 29211 1d42f9 6 API calls 29008->29211 29010 1dc2bb _CxxThrowException 29010->28988 29011 1dbff7 29012 1d2a7c 3 API calls 29011->29012 29015 1dc00f 29011->29015 29012->29015 29013->28787 29014 1dc058 29014->29013 29017 1d2a7c 3 API calls 29014->29017 29015->29013 29015->29014 29212 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 29015->29212 29018 1dc078 29017->29018 29213 1d708f malloc _CxxThrowException free _CxxThrowException 29018->29213 29019 1dc04a _CxxThrowException 29019->29014 29022 2008b5 __EH_prolog 29021->29022 29023 1d28d9 2 API calls 29022->29023 29024 2008e7 29023->29024 29024->28793 29026 1ecb46 __EH_prolog 29025->29026 29247 1ed854 29026->29247 29028 1eccbb 29252 1ecdef 29028->29252 29033 1d2b7a malloc _CxxThrowException free 29063 1ecb59 29033->29063 29036 1d28d9 malloc _CxxThrowException 29036->29063 29050 1d1ab0 free ctype 29050->29063 29062 1ecc77 memcpy 29062->29063 29063->29028 29063->29033 29063->29036 29063->29050 29063->29062 29349 1ec61c 29063->29349 29352 1ebf49 29063->29352 29369 1ec659 malloc _CxxThrowException free memcpy memcpy 29063->29369 29370 1db13b malloc _CxxThrowException free memcpy ctype 29063->29370 29371 1d7033 malloc _CxxThrowException free ctype 29063->29371 29372 1ed80d 29063->29372 29380 1ec8e2 free __EH_prolog ctype 29063->29380 29069->28784 29148 1d29ac 2 API calls 29147->29148 29150 1dc424 29148->29150 29233 1d1ab0 free 29150->29233 29151 1dbb62 29151->28920 29197 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 29151->29197 29153 1dd259 __EH_prolog 29152->29153 29154 1dbc80 29153->29154 29155 1d29ac 2 API calls 29153->29155 29154->28931 29159 1dd287 29155->29159 29156 1dd2f6 29235 1d1ab0 free 29156->29235 29159->29156 29234 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 29159->29234 29160 1dd2e8 _CxxThrowException 29160->29156 29162 1dc4d1 __EH_prolog 29161->29162 29163 1d295f 2 API calls 29162->29163 29167 1dc51d 29162->29167 29165 1dc4fc 29163->29165 29164 1dbe04 29164->28943 29164->28946 29236 1dc487 malloc _CxxThrowException free memcpy 29165->29236 29166 1dc5dd 29242 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 29166->29242 29167->29164 29167->29166 29176 1dc5b6 29167->29176 29238 1dc6cb 57 API calls 2 library calls 29167->29238 29239 1dc60c 6 API calls __EH_prolog 29167->29239 29240 1dc487 malloc _CxxThrowException free memcpy 29167->29240 29170 1dc511 29237 1d1ab0 free 29170->29237 29171 1dc5ed _CxxThrowException 29171->29164 29176->29164 29241 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 29176->29241 29178 1dc5cf _CxxThrowException 29178->29166 29180 1d4451 __EH_prolog 29179->29180 29181 1ed6f7 free 29180->29181 29184 1d445d 29180->29184 29182 1d4469 29181->29182 29243 1d486b malloc _CxxThrowException free memcpy ctype 29182->29243 29188 1dd167 29184->29188 29185 1d1a89 ctype 2 API calls 29187 1d4477 29185->29187 29186 1d29ac 2 API calls 29186->29187 29187->29184 29187->29185 29187->29186 29194 1dd171 __EH_prolog 29188->29194 29189 1d28d9 malloc _CxxThrowException 29189->29194 29190 1d2a7c 3 API calls 29190->29194 29191 1d2a18 3 API calls 29191->29194 29193 1d1ab0 free ctype 29193->29194 29194->29189 29194->29190 29194->29191 29194->29193 29195 1dd22a 29194->29195 29244 1dd3df 4 API calls 2 library calls 29194->29244 29195->28954 29196->28917 29197->28921 29198->28927 29199->28933 29200->28937 29201->28944 29202->28952 29203->28964 29204->28978 29205->28985 29206->28981 29207->28987 29208->28993 29209->29000 29210->29008 29211->29011 29212->29019 29213->29013 29214->28967 29215->28969 29217 1dd346 __EH_prolog 29216->29217 29218 1dc151 29217->29218 29245 1dd627 free ctype 29217->29245 29218->28983 29218->28984 29220 1dd360 29246 1d486b malloc _CxxThrowException free memcpy ctype 29220->29246 29222 1d1a89 ctype 2 API calls 29224 1dd36e 29222->29224 29223 1d29ac malloc _CxxThrowException 29223->29224 29224->29218 29224->29222 29224->29223 29225->28983 29226->28998 29227->29007 29228->29010 29229->29006 29230->28976 29231->28971 29232->28975 29233->29151 29234->29160 29235->29154 29236->29170 29237->29167 29238->29167 29239->29167 29240->29167 29241->29178 29242->29171 29243->29187 29244->29194 29245->29220 29246->29224 29248 1ed87c 29247->29248 29250 1ed85f 29247->29250 29248->29063 29250->29248 29383 1ec8e2 free __EH_prolog ctype 29250->29383 29384 1d1ab0 free 29250->29384 29253 1ecdf9 __EH_prolog 29252->29253 29385 1d4ab0 29253->29385 29256 1d28a2 2 API calls 29257 1ece21 29256->29257 29397 1d6150 29257->29397 29260 1ece8f 29405 1d1ab0 free 29260->29405 29261 1d28a2 2 API calls 29263 1ece40 29261->29263 29406 1d61a9 36 API calls 2 library calls 29263->29406 29264 1ecea6 29266 1ecf44 29264->29266 29269 1d28d9 2 API calls 29264->29269 29268 1d29ac 2 API calls 29266->29268 29267 1ece4b 29407 1d1ab0 free 29267->29407 29271 1ecf50 29268->29271 29272 1eceb7 29269->29272 29417 1d1ab0 free 29271->29417 29410 1ecf69 41 API calls 2 library calls 29272->29410 29273 1ece5f 29273->29260 29278 1d28a2 2 API calls 29273->29278 29276 1eccc3 29297 1d28a2 29276->29297 29277 1eced1 29279 1ecf1a 29277->29279 29411 1ecf69 41 API calls 2 library calls 29277->29411 29280 1ece74 29278->29280 29281 1d29ac 2 API calls 29279->29281 29408 1d61a9 36 API calls 2 library calls 29280->29408 29284 1ecf25 29281->29284 29414 1d1ab0 free 29284->29414 29285 1ecee9 29285->29279 29412 1ecf69 41 API calls 2 library calls 29285->29412 29286 1ece7f 29409 1d1ab0 free 29286->29409 29289 1ecf2d 29415 1d1ab0 free 29289->29415 29291 1ecefe 29291->29279 29413 1ecf69 41 API calls 2 library calls 29291->29413 29294 1ecf16 29294->29279 29295 1ecf38 29294->29295 29416 1d1ab0 free 29295->29416 29298 1d28b8 29297->29298 29565 1d2822 29298->29565 29300 1d28d1 29301 1ec924 29300->29301 29350 1d28d9 2 API calls 29349->29350 29351 1ec632 29350->29351 29351->29063 29353 1ebf53 __EH_prolog 29352->29353 29669 1ec04a 29353->29669 29356 1ec04a 5 API calls 29366 1ebf8c 29356->29366 29357 1ec022 29358 1e9828 ctype free 29357->29358 29360 1ec02d 29358->29360 29359 1d28d9 malloc _CxxThrowException 29359->29366 29361 1e9828 ctype free 29360->29361 29362 1ec039 29361->29362 29362->29063 29363 1d2a7c 3 API calls 29363->29366 29364 1d2a7c 3 API calls 29367 1ebfd3 wcscmp 29364->29367 29366->29357 29366->29359 29366->29363 29366->29364 29368 1d1ab0 free ctype 29366->29368 29682 1ed609 4 API calls 2 library calls 29366->29682 29367->29366 29368->29366 29369->29063 29370->29063 29371->29063 29373 1ed817 __EH_prolog 29372->29373 29374 1d1a89 ctype 2 API calls 29373->29374 29375 1ed822 29374->29375 29376 1ed839 29375->29376 29686 1ed884 29375->29686 29378 1e989f 4 API calls 29376->29378 29379 1ed845 29378->29379 29379->29063 29380->29063 29383->29250 29384->29250 29386 1d4aba __EH_prolog 29385->29386 29387 1d28d9 2 API calls 29386->29387 29388 1d4acc 29387->29388 29418 1d4a58 GetModuleFileNameW 29388->29418 29390 1d4ad8 29391 1d4b0c 29390->29391 29423 1d2b7a malloc _CxxThrowException free ctype 29390->29423 29393 1d29ac 2 API calls 29391->29393 29394 1d4b17 29393->29394 29422 1d1ab0 free 29394->29422 29396 1d4b1f 29396->29256 29398 1d615a __EH_prolog 29397->29398 29399 1d28d9 2 API calls 29398->29399 29400 1d6171 29399->29400 29424 1d5cf7 29400->29424 29404 1d6198 29404->29260 29404->29261 29405->29264 29406->29267 29407->29273 29408->29286 29409->29260 29410->29277 29411->29285 29412->29291 29413->29294 29414->29289 29415->29276 29416->29266 29417->29276 29419 1d4a95 29418->29419 29420 1d4aa7 29418->29420 29419->29420 29421 1d2a18 3 API calls 29419->29421 29420->29390 29421->29420 29422->29396 29423->29391 29425 1d5d01 __EH_prolog 29424->29425 29426 1d5d1b 29425->29426 29428 1d5dbc 29425->29428 29427 1d2a18 3 API calls 29426->29427 29433 1d5d2e 29427->29433 29429 1d5f7c 29428->29429 29529 1d291c malloc _CxxThrowException 29428->29529 29438 1d5ffb 29429->29438 29440 1d5fb0 29429->29440 29431 1d5de5 29530 1d291c malloc _CxxThrowException 29431->29530 29434 1d5d83 29433->29434 29436 1d5d44 29433->29436 29528 1d689f 21 API calls 29434->29528 29527 1d7dcd GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 29436->29527 29437 1d5d94 29448 1d6470 ctype FindCloseChangeNotification 29437->29448 29443 1d601c 29438->29443 29444 1d6017 29438->29444 29461 1d6047 29438->29461 29544 1d5c7a 29440->29544 29441 1d5d6f 29441->29434 29447 1d5d73 29441->29447 29442 1d5df5 29455 1d5e33 29442->29455 29531 1d2c9d malloc _CxxThrowException free _CxxThrowException 29442->29531 29460 1d5fe2 29443->29460 29511 1d58c4 29443->29511 29449 1d5c7a 8 API calls 29444->29449 29452 1d5db7 29447->29452 29448->29452 29449->29443 29510 1d1ab0 free 29452->29510 29453 1d5fcb 29458 1d2a18 3 API calls 29453->29458 29454 1d5e78 29457 1d5cf7 34 API calls 29454->29457 29455->29454 29464 1d5e53 29455->29464 29456 1d58a4 FindClose 29456->29452 29459 1d5e80 29457->29459 29458->29460 29462 1d5f6c 29459->29462 29463 1d5e76 29459->29463 29460->29456 29461->29443 29558 1d291c malloc _CxxThrowException 29461->29558 29542 1d1ab0 free 29462->29542 29469 1d29ac 2 API calls 29463->29469 29464->29463 29467 1d2a7c 3 API calls 29464->29467 29467->29463 29468 1d6077 29472 1d1089 4 API calls 29468->29472 29473 1d5ea9 29469->29473 29470 1d5f74 29543 1d1ab0 free 29470->29543 29474 1d6085 29472->29474 29475 1d28d9 2 API calls 29473->29475 29476 1d1089 4 API calls 29474->29476 29498 1d5eb5 29475->29498 29477 1d608f 29476->29477 29479 1d58c4 9 API calls 29477->29479 29481 1d609f 29479->29481 29480 1d5f01 29535 1d1ab0 free 29480->29535 29483 1d60c2 29481->29483 29484 1d60a3 wcscmp 29481->29484 29482 1d5ef9 SetLastError 29482->29480 29487 1d5c7a 8 API calls 29483->29487 29484->29483 29502 1d60bb 29484->29502 29489 1d60cd 29487->29489 29488 1d5f43 29536 1d1ab0 free 29488->29536 29495 1d60df 29489->29495 29489->29502 29490 1d5f05 29497 1d2c61 4 API calls 29490->29497 29492 1d2a18 3 API calls 29496 1d6136 29492->29496 29494 1d5f4b 29537 1d58a4 29494->29537 29559 1d1ab0 free 29495->29559 29560 1d1ab0 free 29496->29560 29497->29480 29498->29480 29498->29482 29498->29490 29503 1d28d9 2 API calls 29498->29503 29532 1d5c17 14 API calls 29498->29532 29533 1d1fc7 CharUpperW 29498->29533 29534 1d1ab0 free 29498->29534 29502->29492 29503->29498 29505 1d613e 29507 1d58a4 FindClose 29505->29507 29507->29452 29508 1d5f5d 29541 1d1ab0 free 29508->29541 29510->29404 29512 1d58ce __EH_prolog 29511->29512 29513 1d58a4 FindClose 29512->29513 29515 1d58dc 29513->29515 29514 1d5952 29514->29460 29515->29514 29516 1d5905 29515->29516 29517 1d58f7 FindFirstFileW 29515->29517 29518 1d594a 29516->29518 29520 1d28d9 2 API calls 29516->29520 29517->29516 29518->29514 29562 1d5975 malloc _CxxThrowException free 29518->29562 29521 1d5916 29520->29521 29522 1d7635 6 API calls 29521->29522 29523 1d592c 29522->29523 29524 1d593e 29523->29524 29525 1d5930 FindFirstFileW 29523->29525 29561 1d1ab0 free 29524->29561 29525->29524 29527->29441 29528->29437 29529->29431 29530->29442 29531->29455 29532->29498 29533->29498 29534->29498 29535->29488 29536->29494 29538 1d58ae FindClose 29537->29538 29539 1d58b9 29537->29539 29538->29539 29540 1d1ab0 free 29539->29540 29540->29508 29541->29452 29542->29470 29543->29429 29545 1d5c84 __EH_prolog 29544->29545 29546 1d5c9e GetFileAttributesW 29545->29546 29547 1d5ca6 29545->29547 29546->29547 29548 1d5ce4 29546->29548 29547->29548 29549 1d28d9 2 API calls 29547->29549 29548->29443 29548->29453 29550 1d5cb2 29549->29550 29551 1d7635 6 API calls 29550->29551 29552 1d5cc7 29551->29552 29553 1d5cdf 29552->29553 29554 1d5cce GetFileAttributesW 29552->29554 29564 1d1ab0 free 29553->29564 29563 1d1ab0 free 29554->29563 29557 1d5cda 29557->29548 29558->29468 29559->29443 29560->29505 29561->29518 29562->29514 29563->29557 29564->29548 29568 1d26e0 29565->29568 29567 1d283d 29567->29300 29567->29567 29569 1d1a89 ctype 2 API calls 29568->29569 29570 1d26f5 29569->29570 29570->29567 29670 1ec054 __EH_prolog 29669->29670 29671 1ed6f7 free 29670->29671 29672 1ec066 29671->29672 29673 1d28d9 2 API calls 29672->29673 29678 1ec06e 29673->29678 29674 1ec0c7 29683 1d1ab0 free 29674->29683 29676 1ec0b5 29676->29674 29685 1d150c 4 API calls 2 library calls 29676->29685 29677 1ebf81 29677->29356 29678->29674 29678->29676 29680 1d1089 4 API calls 29678->29680 29684 1d150c 4 API calls 2 library calls 29678->29684 29680->29678 29682->29366 29683->29677 29684->29678 29685->29674 29687 1ed88e __EH_prolog 29686->29687 29688 1d29ac 2 API calls 29687->29688 29689 1ed8b6 29688->29689 29694 1ed959 29689->29694 29695 1ed963 __EH_prolog 29694->29695 29697 1d1a89 ctype 2 API calls 29695->29697 29699 1ed99c 29695->29699 29696 1ed8c6 29701 1eda12 29696->29701 29697->29699 29698 1d1a89 ctype 2 API calls 29698->29699 29699->29696 29699->29698 29700 1d29ac malloc _CxxThrowException 29699->29700 29700->29699 29702 1eda1c __EH_prolog 29701->29702 29704 1d1a89 ctype 2 API calls 29702->29704 29707 1eda51 29702->29707 29703 1ed8ee 29703->29376 29704->29707 29705 1d1a89 ctype 2 API calls 29705->29707 29707->29703 29707->29705 29708 1e9a26 malloc _CxxThrowException memcpy ctype 29707->29708 29708->29707 29724 1de720 29725 1de72a __EH_prolog 29724->29725 30147 1eec4e 29725->30147 29728 1d8161 VariantClear 29730 1de892 29728->29730 29729 1d8161 VariantClear 29788 1de86c 29729->29788 29731 1de84e 29730->29731 29732 1de8cb 29730->29732 29733 1de910 29730->29733 29731->29729 30230 1d2b27 malloc _CxxThrowException free SysStringLen ctype 29732->30230 29733->29731 29735 1de8dc 29733->29735 29736 1d8161 VariantClear 29735->29736 29737 1de8e4 29736->29737 29738 1de93f 29737->29738 29742 1de909 29737->29742 30231 1d2b27 malloc _CxxThrowException free SysStringLen ctype 29737->30231 29740 1d8161 VariantClear 29738->29740 29738->29742 29746 1de94a 29740->29746 29741 1deb1f 29743 1ee7b0 VariantClear 29741->29743 29742->29741 30239 1d374c 4 API calls 2 library calls 29742->30239 29744 1deb33 29743->29744 29747 1de3f0 VariantClear 29744->29747 29744->29788 29749 1dea1d 29746->29749 29752 1d28d9 2 API calls 29746->29752 29746->29788 29758 1deb42 29747->29758 29748 1deadc 29751 1deaf0 29748->29751 30241 1e059f free memmove ctype 29748->30241 29749->29741 29749->29742 30238 1d3045 memmove 29749->30238 29757 1eafe4 4 API calls 29751->29757 29756 1de9a0 29752->29756 29754 1deab1 29754->29748 29754->29751 30240 1d3733 wcscmp 29754->30240 30232 1dfcd2 malloc _CxxThrowException __EH_prolog 29756->30232 29760 1deafb 29757->29760 29758->29788 29794 1deb6d 29758->29794 30243 1de70a 8 API calls 29758->30243 29764 1d2a7c 3 API calls 29760->29764 29762 1dec77 29766 1dec80 29762->29766 29767 1ded32 29762->29767 29763 1de9ac 30233 1d6be4 malloc _CxxThrowException free _CxxThrowException 29763->30233 29765 1deb0b 29764->29765 30242 1d1ab0 free 29765->30242 29776 1d1a89 ctype 2 API calls 29766->29776 29781 1dec8f 29766->29781 29778 1dedf1 29767->29778 29779 1ded52 29767->29779 29767->29788 29769 1de9cb 29772 1de9f2 29769->29772 30234 1d6d83 4 API calls 2 library calls 29769->30234 29771 1deb7d 29771->29762 29771->29788 30245 1e059f free memmove ctype 29771->30245 30236 1dff0d free ctype 29772->30236 29773 1deb13 29782 1e9828 ctype free 29773->29782 29774 1eafe4 4 API calls 29792 1decc9 29774->29792 29776->29781 29795 1dee3a 29778->29795 29796 1dee1a 29778->29796 29784 1d1a89 ctype 2 API calls 29779->29784 29781->29774 29782->29741 29783 1de9de 29787 1d2a7c 3 API calls 29783->29787 29784->29788 29785 1dea12 30237 1d1ab0 free 29785->30237 29786 1ded01 30246 1d1ab0 free 29786->30246 29790 1de9ea 29787->29790 30235 1d1ab0 free 29790->30235 29791 1decf2 29799 1d2c61 4 API calls 29791->29799 29792->29786 29792->29791 29793 1d1089 4 API calls 29792->29793 29793->29791 29794->29771 29794->29788 30244 1d3733 wcscmp 29794->30244 29797 1dee41 29795->29797 29803 1dfc8e 29795->29803 29802 1d8161 VariantClear 29796->29802 29804 1d8161 VariantClear 29797->29804 29799->29786 29802->29788 29805 1d8161 VariantClear 29803->29805 29806 1dee6f 29804->29806 29805->29788 30181 1de35b 29806->30181 29809 1de35b VariantClear 29810 1deebe 29809->29810 29810->29788 29811 1de35b VariantClear 29810->29811 29812 1deef5 29811->29812 29812->29788 29813 1ee7b0 VariantClear 29812->29813 29814 1def2b 29813->29814 29814->29788 29816 1def6d 29814->29816 30247 1eae5b 9 API calls 2 library calls 29814->30247 29817 1df018 29816->29817 29819 1d29ac 2 API calls 29816->29819 30185 1eafe4 29817->30185 29820 1def88 29819->29820 30248 1eac4b malloc _CxxThrowException free 29820->30248 29821 1df146 29824 1d29ac 2 API calls 29821->29824 29823 1df048 29823->29821 29831 1d28d9 2 API calls 29823->29831 29827 1df153 29824->29827 29825 1def94 29828 1defbc 29825->29828 29829 1defa2 29825->29829 29843 1df191 29827->29843 30258 1dfe75 4 API calls 2 library calls 29827->30258 29833 1defa9 29828->29833 30250 1d3ed8 wcscmp 29828->30250 30249 1e0557 4 API calls 2 library calls 29829->30249 29834 1df059 29831->29834 29837 1df000 29833->29837 29841 1d1089 4 API calls 29833->29841 30254 1de2a7 9 API calls 29834->30254 29842 1d2c61 4 API calls 29837->29842 29839 1df178 29845 1d2a7c 3 API calls 29839->29845 29840 1defc9 29840->29833 30251 1e0557 4 API calls 2 library calls 29840->30251 29841->29837 29846 1df00c 29842->29846 29849 1df232 29843->29849 29857 1d28d9 2 API calls 29843->29857 29844 1df069 29847 1df13a 29844->29847 30255 1e06a8 4 API calls 2 library calls 29844->30255 29848 1df185 29845->29848 30252 1d1ab0 free 29846->30252 30257 1d1ab0 free 29847->30257 30259 1d1ab0 free 29848->30259 29853 1df23e 29849->29853 29863 1df292 29849->29863 29856 1d2a7c 3 API calls 29853->29856 29860 1df24f 29856->29860 29861 1df1b8 29857->29861 29858 1df25b 29859 1d2a7c 3 API calls 29858->29859 29865 1df267 29858->29865 29862 1df6b1 29859->29862 29860->29858 29864 1d4d9d 8 API calls 29860->29864 30260 1d1ab0 free 29861->30260 29867 1df8e4 29862->29867 29871 1d28d9 2 API calls 29862->29871 29981 1dfc4b 29862->29981 29863->29858 29866 1d28d9 2 API calls 29863->29866 29864->29858 30263 1d1ab0 free 29865->30263 29869 1df2b1 29866->29869 29870 1df974 29867->29870 29867->29981 30393 1dd956 VariantClear _CxxThrowException __EH_prolog 29867->30393 29875 1d5cf7 36 API calls 29869->29875 29879 1d1a89 ctype 2 API calls 29870->29879 29877 1df6ce 29871->29877 29873 1df080 29880 1d2a7c 3 API calls 29873->29880 29874 1df1dc 29874->29849 29886 1d2a7c 3 API calls 29874->29886 29881 1df2c3 29875->29881 29884 1df6fb 29877->29884 30322 1dfdf4 malloc _CxxThrowException free __EH_prolog ctype 29877->30322 29878 1df26f 30264 1d1ab0 free 29878->30264 29901 1df97b 29879->29901 29887 1df133 29880->29887 29900 1df2cb 29881->29900 29904 1df603 29881->29904 29883 1dfc7b 30413 1d1ab0 free 29883->30413 29893 1d2c61 4 API calls 29884->29893 29894 1df1f5 29886->29894 30256 1e044b 10 API calls 29887->30256 29889 1df2d2 29895 1df2da 29889->29895 29906 1df43c 29889->29906 29907 1df4a5 29889->29907 29890 1df914 29896 1df91a 29890->29896 29941 1df943 29890->29941 29898 1df70b 29893->29898 29899 1d1089 4 API calls 29894->29899 30302 1d1ab0 free 29895->30302 30394 1d1ab0 free 29896->30394 29897 1df6e2 29905 1d2a7c 3 API calls 29897->29905 30324 1de585 6 API calls 2 library calls 29898->30324 29909 1df1ff 29899->29909 29900->29889 30265 1dfcb7 malloc _CxxThrowException 29900->30265 30227 1d695e 29901->30227 29903 1df49c 30321 1d1ab0 free 29903->30321 29904->29903 29927 1d29ac 2 API calls 29904->29927 29917 1df6ef 29905->29917 30280 1d91fe 36 API calls 2 library calls 29906->30280 29915 1df4ae 29907->29915 29916 1df576 29907->29916 29920 1d29ac 2 API calls 29909->29920 29914 1df922 30395 1d1ab0 free 29914->30395 29926 1d29ac 2 API calls 29915->29926 29929 1df59c 29916->29929 29930 1df583 29916->29930 30323 1d1ab0 free 29917->30323 29919 1df713 29932 1df717 29919->29932 29933 1df751 29919->29933 29921 1df20e 29920->29921 30261 1eac4b malloc _CxxThrowException free 29921->30261 29922 1df2f8 29936 1d287e 2 API calls 29922->29936 29923 1df5eb 30303 1d1ab0 free 29923->30303 29939 1df4ba 29926->29939 29982 1df62b 29927->29982 29942 1d6150 36 API calls 29929->29942 30196 1d4d9d 29930->30196 29931 1df444 29931->29903 29943 1df448 29931->29943 30325 1de40d 4 API calls 2 library calls 29932->30325 29935 1d28d9 2 API calls 29933->29935 29947 1df759 29935->29947 29948 1df30a 29936->29948 29938 1dfa0b 30398 1de47a 7 API calls 2 library calls 29938->30398 30288 1d91fe 36 API calls 2 library calls 29939->30288 29941->29870 29953 1df969 29941->29953 29954 1df991 29941->29954 29955 1df5a1 29942->29955 30281 1de40d 4 API calls 2 library calls 29943->30281 29945 1df21a 29959 1d2c61 4 API calls 29945->29959 29946 1dfb74 29962 1dfbe9 29946->29962 29995 1d29ac 2 API calls 29946->29995 29960 1df772 29947->29960 29975 1df767 29947->29975 30266 1d1ab0 free 29948->30266 29949 1df5f3 30304 1d1ab0 free 29949->30304 29967 1d2a7c 3 API calls 29953->29967 30396 1d4eee 8 API calls 2 library calls 29954->30396 29955->29903 30209 1d5302 29955->30209 29957 1df727 29969 1df8d7 29957->29969 29970 1df731 29957->29970 29972 1df226 29959->29972 30329 1d7c08 29960->30329 29962->29981 30024 1dfc16 29962->30024 29964 1dfa1c 29964->29865 29978 1dfa26 29964->29978 29965 1df4c6 29979 1df4dd 29965->29979 29980 1df4ca 29965->29980 29966 1df590 30301 1de47a 7 API calls 2 library calls 29966->30301 29967->29870 29968 1df459 29984 1df47f 29968->29984 29985 1df462 29968->29985 30392 1d1ab0 free 29969->30392 30326 1d1ab0 free 29970->30326 29971 1df99b 29971->29981 29990 1df9a3 29971->29990 30262 1d1ab0 free 29972->30262 29973 1dfa6c 29973->29946 30006 1d6a47 3 API calls 29973->30006 29994 1d2a7c 3 API calls 29975->29994 29976 1df316 30017 1df361 29976->30017 30066 1df389 29976->30066 30399 1d1ab0 free 29978->30399 30290 1d4e1f 8 API calls 2 library calls 29979->30290 30289 1de40d 4 API calls 2 library calls 29980->30289 30412 1d1ab0 free 29981->30412 29999 1d28d9 2 API calls 29982->29999 30285 1d1ab0 free 29984->30285 30282 1d1ab0 free 29985->30282 29989 1df739 30327 1d1ab0 free 29989->30327 30397 1de50b 4 API calls 2 library calls 29990->30397 30007 1df770 29994->30007 30008 1dfb99 29995->30008 30011 1df654 29999->30011 30000 1df5b9 GetLastError 30000->29903 30000->29966 30001 1df467 30283 1d1ab0 free 30001->30283 30004 1df5d9 30004->29895 30004->29985 30005 1df484 30286 1d1ab0 free 30005->30286 30016 1dfab9 30006->30016 30020 1df8ce 30007->30020 30034 1df7a9 30007->30034 30035 1df7e3 30007->30035 30049 1df7db 30007->30049 30408 1e080c malloc _CxxThrowException free memmove memcpy 30008->30408 30009 1df4db 30041 1df52f 30009->30041 30042 1df50a 30009->30042 30010 1df4e8 30022 1df4ec 30010->30022 30023 1df569 30010->30023 30025 1d5cf7 36 API calls 30011->30025 30013 1df741 30328 1d1ab0 free 30013->30328 30014 1df9b5 30014->29978 30029 1df9be 30014->30029 30031 1dfb13 30016->30031 30401 1de47a 7 API calls 2 library calls 30016->30401 30267 1d1ab0 free 30017->30267 30391 1d1ab0 free 30020->30391 30291 1de50b 4 API calls 2 library calls 30022->30291 30300 1d1ab0 free 30023->30300 30410 1d1ab0 free 30024->30410 30040 1df666 30025->30040 30026 1df46f 30284 1d1ab0 free 30026->30284 30029->29865 30030 1df48c 30287 1d1ab0 free 30030->30287 30404 1d658a SetFilePointer GetLastError 30031->30404 30033 1dfbbe 30048 1dfbda 30033->30048 30063 1d2a7c 3 API calls 30033->30063 30374 1d4eee 8 API calls 2 library calls 30034->30374 30035->30020 30377 1d6a94 malloc _CxxThrowException free memset 30035->30377 30037 1df3e8 30279 1d1ab0 free 30037->30279 30038 1dfa38 30400 1d1ab0 free 30038->30400 30055 1df680 30040->30055 30305 1d4cfc 30040->30305 30296 1d1ab0 free 30041->30296 30292 1d1ab0 free 30042->30292 30047 1df369 30268 1d1ab0 free 30047->30268 30409 1d1ab0 free 30048->30409 30376 1d1ab0 free 30049->30376 30051 1df571 30051->29903 30319 1d1ab0 free 30055->30319 30060 1df534 30297 1d1ab0 free 30060->30297 30061 1dfad4 30061->30031 30078 1dfadb 30061->30078 30063->30048 30065 1df7b4 30065->30020 30375 1de50b 4 API calls 2 library calls 30065->30375 30066->30037 30067 1df3f1 30066->30067 30080 1df3a1 30066->30080 30275 1d1ab0 free 30067->30275 30069 1dfb21 30069->29946 30405 1de47a 7 API calls 2 library calls 30069->30405 30070 1dfc2c 30411 1d1ab0 free 30070->30411 30071 1df50f 30293 1d1ab0 free 30071->30293 30074 1df68b 30320 1d1ab0 free 30074->30320 30075 1df810 30084 1df8c6 30075->30084 30378 1dfcd2 malloc _CxxThrowException __EH_prolog 30075->30378 30402 1d1ab0 free 30078->30402 30079 1df371 30269 1d1ab0 free 30079->30269 30080->30037 30089 1df3a4 30080->30089 30082 1df517 30294 1d1ab0 free 30082->30294 30390 1d1ab0 free 30084->30390 30085 1df53c 30298 1d1ab0 free 30085->30298 30086 1df400 30276 1d1ab0 free 30086->30276 30089->30041 30099 1df3ae 30089->30099 30097 1df379 30270 1d1ab0 free 30097->30270 30098 1df7d1 30098->30020 30098->30049 30271 1d1ab0 free 30099->30271 30100 1dfb35 30100->29946 30108 1dfb3c 30100->30108 30101 1df51f 30295 1d1ab0 free 30101->30295 30102 1df820 30379 1d6be4 malloc _CxxThrowException free _CxxThrowException 30102->30379 30103 1df544 30299 1d1ab0 free 30103->30299 30104 1df408 30277 1d1ab0 free 30104->30277 30105 1dfaf1 30403 1d1ab0 free 30105->30403 30406 1d1ab0 free 30108->30406 30114 1df3b3 30272 1d1ab0 free 30114->30272 30117 1df839 30121 1df83d 30117->30121 30122 1df88f 30117->30122 30118 1df410 30278 1d1ab0 free 30118->30278 30119 1df3bb 30273 1d1ab0 free 30119->30273 30120 1dfb52 30407 1d1ab0 free 30120->30407 30380 1de40d 4 API calls 2 library calls 30121->30380 30387 1d6ec3 47 API calls 2 library calls 30122->30387 30128 1df3c3 30274 1d1ab0 free 30128->30274 30129 1df84d 30132 1df8ba 30129->30132 30133 1df853 30129->30133 30130 1df8a3 30130->30132 30388 1de47a 7 API calls 2 library calls 30130->30388 30389 1dff0d free ctype 30132->30389 30381 1dff0d free ctype 30133->30381 30137 1df85f 30382 1d1ab0 free 30137->30382 30139 1df867 30383 1d1ab0 free 30139->30383 30141 1df86f 30384 1d1ab0 free 30141->30384 30143 1df877 30385 1d1ab0 free 30143->30385 30145 1df87f 30386 1d1ab0 free 30145->30386 30148 1eec58 __EH_prolog 30147->30148 30149 1ed6f7 free 30148->30149 30150 1eec9c 30149->30150 30414 1ee80f 30150->30414 30154 1eecca 30155 1d2a7c 3 API calls 30154->30155 30163 1de821 30154->30163 30156 1eece4 30155->30156 30169 1eecfa 30156->30169 30418 1ee82b VariantClear 30156->30418 30158 1eee5d 30421 1ee847 8 API calls 2 library calls 30158->30421 30159 1eeef1 30423 1d374c 4 API calls 2 library calls 30159->30423 30160 1eedf1 30164 1d2a18 3 API calls 30160->30164 30168 1eee28 30160->30168 30163->29728 30163->29731 30163->29788 30164->30168 30165 1eedad 30167 1d8161 VariantClear 30165->30167 30166 1eed83 30166->30165 30171 1eed94 30166->30171 30420 1eebd5 8 API calls 30166->30420 30167->30163 30168->30158 30168->30159 30169->30160 30169->30163 30169->30165 30169->30166 30419 1d2b27 malloc _CxxThrowException free SysStringLen ctype 30169->30419 30175 1d8161 VariantClear 30171->30175 30172 1eee6d 30172->30163 30173 1d2a18 3 API calls 30172->30173 30179 1eeeac 30173->30179 30175->30160 30176 1eedbf 30176->30165 30177 1ee80f VariantClear 30176->30177 30178 1eedd0 30177->30178 30178->30165 30178->30171 30179->30163 30422 1d4513 free ctype 30179->30422 30183 1de365 __EH_prolog 30181->30183 30182 1d8161 VariantClear 30184 1de3dd 30182->30184 30183->30182 30184->29788 30184->29809 30186 1eafee __EH_prolog 30185->30186 30187 1d28d9 2 API calls 30186->30187 30188 1eb004 30187->30188 30189 1eb030 30188->30189 30191 1d1089 4 API calls 30188->30191 30192 1d2c61 4 API calls 30188->30192 30190 1d29ac 2 API calls 30189->30190 30193 1eb03c 30190->30193 30191->30188 30192->30188 30424 1d1ab0 free 30193->30424 30195 1df023 30195->29821 30195->29823 30253 1d4513 free ctype 30195->30253 30197 1d4da7 __EH_prolog 30196->30197 30198 1d4dcc 30197->30198 30199 1d4dc1 RemoveDirectoryW 30197->30199 30200 1d4dc8 30198->30200 30201 1d28d9 2 API calls 30198->30201 30199->30198 30199->30200 30200->29903 30200->29966 30202 1d4dd8 30201->30202 30203 1d7635 6 API calls 30202->30203 30204 1d4ded 30203->30204 30205 1d4e08 30204->30205 30206 1d4df4 RemoveDirectoryW 30204->30206 30426 1d1ab0 free 30205->30426 30425 1d1ab0 free 30206->30425 30210 1d530c __EH_prolog 30209->30210 30211 1d5c7a 8 API calls 30210->30211 30213 1d5319 30211->30213 30212 1d5332 30215 1d534a DeleteFileW 30212->30215 30216 1d5355 30212->30216 30217 1d5351 30212->30217 30213->30212 30214 1d4cfc 8 API calls 30213->30214 30214->30212 30215->30216 30215->30217 30216->30217 30218 1d28d9 2 API calls 30216->30218 30217->29903 30217->30000 30219 1d5361 30218->30219 30220 1d7635 6 API calls 30219->30220 30221 1d5376 30220->30221 30222 1d537d DeleteFileW 30221->30222 30223 1d5391 30221->30223 30427 1d1ab0 free 30222->30427 30428 1d1ab0 free 30223->30428 30226 1d5389 30226->30217 30429 1d6941 30227->30429 30230->29735 30231->29738 30232->29763 30233->29769 30234->29783 30235->29772 30236->29785 30237->29749 30238->29749 30239->29754 30240->29754 30241->29751 30242->29773 30243->29794 30244->29794 30245->29762 30246->29788 30247->29816 30248->29825 30249->29833 30250->29840 30251->29833 30252->29817 30253->29823 30254->29844 30255->29873 30256->29847 30257->29821 30258->29839 30259->29843 30260->29874 30261->29945 30262->29849 30263->29878 30264->29788 30265->29922 30266->29976 30267->30047 30268->30079 30269->30097 30270->29788 30271->30114 30272->30119 30273->30128 30274->29788 30275->30086 30276->30104 30277->30118 30278->29788 30279->29889 30280->29931 30281->29968 30282->30001 30283->30026 30284->29788 30285->30005 30286->30030 30287->29788 30288->29965 30289->30009 30290->30010 30291->30009 30292->30071 30293->30082 30294->30101 30295->29788 30296->30060 30297->30085 30298->30103 30299->29788 30300->30051 30301->30004 30302->29923 30303->29949 30304->29788 30306 1d4d06 __EH_prolog 30305->30306 30307 1d4d31 30306->30307 30308 1d4d23 SetFileAttributesW 30306->30308 30309 1d4d2d 30307->30309 30310 1d28d9 2 API calls 30307->30310 30308->30307 30308->30309 30309->30055 30311 1d4d3d 30310->30311 30312 1d7635 6 API calls 30311->30312 30313 1d4d52 30312->30313 30314 1d4d56 SetFileAttributesW 30313->30314 30315 1d4d70 30313->30315 30432 1d1ab0 free 30314->30432 30433 1d1ab0 free 30315->30433 30318 1d4d68 30318->30309 30319->30074 30320->29903 30321->29858 30322->29897 30323->29884 30324->29919 30325->29957 30326->29989 30327->30013 30328->29788 30330 1d7c12 __EH_prolog 30329->30330 30331 1d2a18 3 API calls 30330->30331 30332 1d7c25 30331->30332 30333 1d7c83 30332->30333 30339 1d7c32 30332->30339 30334 1d28d9 2 API calls 30333->30334 30335 1d7c8b 30334->30335 30336 1d7c96 30335->30336 30337 1d7ca1 30335->30337 30340 1d2a18 3 API calls 30336->30340 30437 1d7a3b malloc _CxxThrowException free GetCurrentDirectoryW 30337->30437 30338 1d7c7e 30338->30007 30373 1de40d 4 API calls 2 library calls 30338->30373 30339->30338 30434 1d291c malloc _CxxThrowException 30339->30434 30343 1d7c9f 30340->30343 30346 1d7ccf 30343->30346 30438 1d708f malloc _CxxThrowException free _CxxThrowException 30343->30438 30344 1d7c4b 30435 1d7a93 memmove 30344->30435 30439 1d1ab0 free 30346->30439 30347 1d7c57 30350 1d7c76 30347->30350 30352 1d2c61 4 API calls 30347->30352 30436 1d1ab0 free 30350->30436 30352->30350 30353 1d28d9 2 API calls 30354 1d7d35 30353->30354 30355 1d7d62 30354->30355 30356 1d7d48 30354->30356 30357 1d2a18 3 API calls 30355->30357 30440 1d2c15 malloc _CxxThrowException free _CxxThrowException 30356->30440 30360 1d7d60 30357->30360 30358 1d7cb5 30358->30346 30358->30353 30442 1d7a93 memmove 30360->30442 30361 1d7d57 30441 1d2c15 malloc _CxxThrowException free _CxxThrowException 30361->30441 30364 1d7d76 30365 1d7d88 30364->30365 30366 1d7d7a 30364->30366 30368 1d2a7c 3 API calls 30365->30368 30443 1d1ab0 free 30366->30443 30369 1d7da4 30368->30369 30370 1d2c61 4 API calls 30369->30370 30371 1d7db0 30370->30371 30444 1d1ab0 free 30371->30444 30373->30007 30374->30065 30375->30098 30376->30035 30377->30075 30378->30102 30379->30117 30380->30129 30381->30137 30382->30139 30383->30141 30384->30143 30385->30145 30386->29788 30387->30130 30388->30129 30389->30084 30390->30020 30391->29969 30392->29867 30393->29890 30394->29914 30395->29788 30396->29971 30397->30014 30398->29964 30399->30038 30400->29788 30401->30061 30402->30105 30403->29788 30404->30069 30405->30100 30406->30120 30407->29788 30408->30033 30409->29962 30410->30070 30411->29788 30412->29883 30413->29788 30415 1ee7b0 VariantClear 30414->30415 30416 1ee81a 30415->30416 30416->30163 30417 1eebd5 8 API calls 30416->30417 30417->30154 30418->30169 30419->30166 30420->30176 30421->30172 30422->30163 30423->30163 30424->30195 30425->30200 30426->30200 30427->30226 30428->30217 30430 1d63be 9 API calls 30429->30430 30431 1d695b 30430->30431 30431->29938 30431->29973 30432->30318 30433->30309 30434->30344 30435->30347 30436->30338 30437->30343 30438->30358 30439->30338 30440->30361 30441->30360 30442->30364 30443->30346 30444->30346 30445 20001d 30446 200026 30445->30446 30447 20003c 30445->30447 30783 1d1ca1 fputc 30446->30783 30607 1fb0e7 30447->30607 30451 1d28d9 2 API calls 30452 200094 30451->30452 30611 1e9213 30452->30611 30454 2000bc 30671 1d1ab0 free 30454->30671 30456 2000cb 30457 2000e1 30456->30457 30784 202634 30456->30784 30459 200101 30457->30459 30792 1fb485 8 API calls 2 library calls 30457->30792 30672 20259b 30459->30672 30463 1e9828 ctype free 30465 2007f2 30463->30465 30464 1d1a89 ctype 2 API calls 30466 200133 30464->30466 30467 1e9828 ctype free 30465->30467 30469 200146 30466->30469 30793 200ea9 malloc _CxxThrowException __EH_prolog 30466->30793 30468 2007fe 30467->30468 30470 200815 30468->30470 30472 200810 30468->30472 30474 1d2a7c 3 API calls 30469->30474 30839 2017ba _CxxThrowException 30470->30839 30838 2017d5 33 API calls __aulldiv 30472->30838 30480 20017f 30474->30480 30476 20081d 30840 1d1ab0 free 30476->30840 30478 200828 30841 1eab95 free ctype 30478->30841 30690 200aa1 30480->30690 30481 200838 30483 200848 30481->30483 30485 1ecb0f 2 API calls 30481->30485 30842 200a23 free __EH_prolog 30483->30842 30485->30483 30488 200857 30843 1d1ab0 free 30488->30843 30491 200866 30844 1d11bb free __EH_prolog ctype 30491->30844 30492 1dd33c 4 API calls 30494 200227 30492->30494 30496 1d28d9 2 API calls 30494->30496 30495 200872 30845 201c59 free __EH_prolog ctype 30495->30845 30498 20022f 30496->30498 30696 1ebba8 30498->30696 30499 200881 30501 1e9828 ctype free 30499->30501 30504 20088d 30501->30504 30503 200276 30702 1e9af9 30503->30702 30507 20026f 30795 2017ba _CxxThrowException 30507->30795 30510 2002d6 30512 200316 30510->30512 30796 1d1ca1 fputc 30510->30796 30511 202634 ctype 6 API calls 30511->30510 30513 200392 30512->30513 30800 1d1ca1 fputc 30512->30800 30514 2003cd 30513->30514 30517 2003a8 fputs 30513->30517 30519 20040c 30514->30519 30523 2003e7 fputs 30514->30523 30536 20048d 30514->30536 30805 1d1f3a fputs 30517->30805 30518 200337 30518->30513 30522 200349 fputs 30518->30522 30525 200421 fputs 30519->30525 30532 200445 30519->30532 30519->30536 30520 2002ee fputs 30797 1d1ca1 fputc 30520->30797 30801 1d1f3a fputs 30522->30801 30807 1d1f3a fputs 30523->30807 30809 1d1f3a fputs 30525->30809 30526 2003c6 30806 1d1ca1 fputc 30526->30806 30529 200304 30798 1d1cb4 10 API calls 2 library calls 30529->30798 30532->30536 30811 1d1ca1 fputc 30532->30811 30534 200366 30802 1d1ca1 fputc 30534->30802 30535 200405 30808 1d1ca1 fputc 30535->30808 30549 2004dd 30536->30549 30814 1d1ca1 fputc 30536->30814 30537 20030f 30799 1d1ca1 fputc 30537->30799 30538 20043e 30810 1d1ca1 fputc 30538->30810 30540 200665 30834 1ebc1c free ctype 30540->30834 30544 2004aa 30544->30549 30552 2004b8 fputs 30544->30552 30548 20045a 30548->30536 30554 200468 fputs 30548->30554 30549->30540 30550 200667 30549->30550 30556 200519 30549->30556 30831 1d1ca1 fputc 30550->30831 30551 20036d fputs 30803 1d1f3a fputs 30551->30803 30815 1d1f3a fputs 30552->30815 30553 2006b2 30835 1d1ab0 free 30553->30835 30812 1d1f3a fputs 30554->30812 30556->30540 30568 200533 fputs 30556->30568 30569 200558 30556->30569 30558 20038b 30804 1d1ca1 fputc 30558->30804 30562 20066e 30562->30540 30567 20067f fputs 30562->30567 30564 2004d6 30816 1d1ca1 fputc 30564->30816 30565 2006ba 30836 201f69 free __EH_prolog ctype 30565->30836 30566 200486 30813 1d1ca1 fputc 30566->30813 30832 1d1f3a fputs 30567->30832 30817 1d1f3a fputs 30568->30817 30570 200583 fputs 30569->30570 30584 2005fa fputs 30569->30584 30819 1d1f3a fputs 30570->30819 30577 2006ca 30837 1d1ab0 free 30577->30837 30578 20069c 30578->30540 30833 1d1ca1 fputc 30578->30833 30579 200551 30818 1d1ca1 fputc 30579->30818 30580 2005a1 30820 1d1ca1 fputc 30580->30820 30825 1d1f3a fputs 30584->30825 30586 2006d5 30586->30463 30588 2005a8 30588->30584 30590 2005b3 fputs 30588->30590 30589 200618 30826 1d1ca1 fputc 30589->30826 30821 1d1f3a fputs 30590->30821 30593 200622 fputs 30827 1d1f3a fputs 30593->30827 30594 2005ce 30822 1d1ca1 fputc 30594->30822 30597 200644 30828 1d1ca1 fputc 30597->30828 30598 2005d5 fputs 30602 20064b 30602->30540 30829 1d1ca1 fputc 30602->30829 30608 1fb0fd 30607->30608 30609 1fb0f0 30607->30609 30608->30451 30846 1d23a3 malloc _CxxThrowException free ctype 30609->30846 30612 1e921d __EH_prolog 30611->30612 30847 1e7de9 30612->30847 30617 1e9274 30861 1e944e free __EH_prolog ctype 30617->30861 30619 1e92e6 30865 1e944e free __EH_prolog ctype 30619->30865 30621 1e9282 30623 1e9828 ctype free 30621->30623 30622 1e92f5 30637 1e9317 30622->30637 30866 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 30622->30866 30654 1e928e 30623->30654 30627 1e9309 _CxxThrowException 30627->30637 30628 1e9367 30873 1f4e5f malloc _CxxThrowException free 30628->30873 30630 1e9296 30630->30619 30862 1e7d3c malloc _CxxThrowException free _CxxThrowException 30630->30862 30863 1d150c 4 API calls 2 library calls 30630->30863 30864 1d1ab0 free 30630->30864 30632 1d28d9 2 API calls 30632->30637 30633 1e937f 30634 1ed6f7 free 30633->30634 30636 1e938a 30634->30636 30874 1e99e7 malloc _CxxThrowException free ctype 30636->30874 30637->30628 30637->30632 30867 1d5555 30637->30867 30871 1d150c 4 API calls 2 library calls 30637->30871 30872 1d1ab0 free 30637->30872 30640 1e9393 30642 1ed6f7 free 30640->30642 30643 1e93a0 30642->30643 30875 1e99e7 malloc _CxxThrowException free ctype 30643->30875 30645 1e93a8 30646 1e93f8 30645->30646 30647 1e9784 malloc _CxxThrowException 30645->30647 30655 1e942c 30645->30655 30876 1d3733 wcscmp 30645->30876 30877 1d1ab0 free 30646->30877 30647->30645 30649 1e9400 30650 1e9828 ctype free 30649->30650 30651 1e940d 30650->30651 30652 1e9828 ctype free 30651->30652 30652->30654 30654->30454 30878 1e96ec malloc _CxxThrowException free _CxxThrowException __EH_prolog 30655->30878 30657 1e9440 _CxxThrowException 30658 1e944e __EH_prolog 30657->30658 30879 1d1ab0 free 30658->30879 30660 1e9471 30880 1e7eae free ctype 30660->30880 30662 1e947a 30881 1e9907 free ctype 30662->30881 30664 1e9486 30882 1d1ab0 free 30664->30882 30666 1e948e 30883 1d1ab0 free 30666->30883 30668 1e9496 30669 1e9828 ctype free 30668->30669 30670 1e94a3 30669->30670 30670->30454 30671->30456 30673 2025a5 __EH_prolog 30672->30673 30674 202634 ctype 6 API calls 30673->30674 30675 2025ba 30674->30675 31033 1d1ab0 free 30675->31033 30677 2025c5 30678 1fee2f ctype free 30677->30678 30679 2025d2 30678->30679 31034 1d1ab0 free 30679->31034 30681 2025da 31035 1d1ab0 free 30681->31035 30683 2025e2 31036 1d1ab0 free 30683->31036 30685 2025ea 31037 1d1ab0 free 30685->31037 30687 2025f2 30688 1fee2f ctype free 30687->30688 30689 200116 30688->30689 30689->30464 30689->30586 30691 200ac4 2 API calls 30690->30691 30692 2001d1 30691->30692 30693 201d96 30692->30693 30694 1d2a7c 3 API calls 30693->30694 30695 2001e7 30694->30695 30695->30492 30697 1ebbb2 __EH_prolog 30696->30697 30698 1d28d9 2 API calls 30697->30698 30699 1ebbd6 30698->30699 30700 1d28d9 2 API calls 30699->30700 30701 1ebbe2 30700->30701 30701->30503 30794 1eb056 19 API calls 2 library calls 30701->30794 30715 1e9b03 __EH_prolog 30702->30715 30703 1e9c0f 30704 1e9c28 30703->30704 30705 1d1a89 ctype 2 API calls 30703->30705 30707 1d1a89 ctype 2 API calls 30704->30707 30705->30704 30706 1d28d9 2 API calls 30706->30715 30708 1e9c55 30707->30708 30709 1e9c68 30708->30709 31038 1dda91 30708->31038 31054 1ea581 30709->31054 30710 1d5cf7 36 API calls 30710->30715 30714 1e9c6c _CxxThrowException 30717 1e9c81 _CxxThrowException 30714->30717 30715->30703 30715->30706 30715->30710 30715->30714 30715->30717 31149 1f8d61 malloc _CxxThrowException free memcpy 30715->31149 31150 1d1ab0 free 30715->31150 30717->30709 30718 1ea341 31177 1d1ab0 free 30718->31177 30720 1d28d9 malloc _CxxThrowException 30758 1e9d1b 30720->30758 30721 1ea133 30721->30718 30782 1e9d37 30721->30782 30722 1ea3ce 31178 1d1ab0 free 30722->31178 30725 1ea330 31176 1d1ab0 free 30725->31176 30726 1ea338 30726->30510 30726->30511 30727 1d5cf7 36 API calls 30727->30758 30729 1ea2ee _CxxThrowException 30729->30721 30730 1ea173 31154 1d1ab0 free 30730->31154 30734 1ea3eb 2 API calls 30734->30758 30735 1d2a7c 3 API calls 30735->30758 30736 1ea192 31155 1d1ab0 free 30736->31155 30738 1ea19d 31156 1eab95 free ctype 30738->31156 30740 1ea1da 31159 1d1ab0 free 30740->31159 30742 1ea1aa 31157 1ea52b free __EH_prolog ctype 30742->31157 30743 1ea1e5 31160 1eab95 free ctype 30743->31160 30746 1ea1b9 31158 1d1ab0 free 30746->31158 30747 1ea1f2 31161 1ea52b free __EH_prolog ctype 30747->31161 30753 1ea201 31162 1d1ab0 free 30753->31162 30754 1ea266 31167 1d1ab0 free 30754->31167 30758->30720 30758->30721 30758->30727 30758->30729 30758->30730 30758->30734 30758->30735 30758->30736 30758->30740 30758->30754 30760 1ea220 30758->30760 30761 1ea2a9 30758->30761 30763 1d1ab0 free ctype 30758->30763 30758->30782 31058 1ea47f 30758->31058 31064 1eaaf8 30758->31064 31070 1ea61b 30758->31070 31151 1e9ab0 wcscmp 30758->31151 31152 1eab95 free ctype 30758->31152 31153 1ea52b free __EH_prolog ctype 30758->31153 30759 1ea271 31168 1eab95 free ctype 30759->31168 31163 1d1ab0 free 30760->31163 31171 1d1ab0 free 30761->31171 30763->30758 30766 1ea27e 31169 1ea52b free __EH_prolog ctype 30766->31169 30767 1ea22b 31164 1eab95 free ctype 30767->31164 30768 1ea2b4 31172 1eab95 free ctype 30768->31172 30772 1ea28d 31170 1d1ab0 free 30772->31170 30773 1ea238 31165 1ea52b free __EH_prolog ctype 30773->31165 30775 1ea2c1 31173 1ea52b free __EH_prolog ctype 30775->31173 30777 1ea247 31166 1d1ab0 free 30777->31166 30780 1ea2d0 31174 1d1ab0 free 30780->31174 31175 1d1ab0 free 30782->31175 30783->30447 30785 2026a6 30784->30785 30786 202647 30784->30786 30788 2026b7 30785->30788 31300 1d1c92 fflush 30785->31300 30787 20265b fputs 30786->30787 31299 1d2278 malloc _CxxThrowException free _CxxThrowException ctype 30786->31299 30787->30785 30788->30457 30792->30459 30793->30469 30794->30507 30795->30503 30796->30520 30797->30529 30798->30537 30799->30512 30800->30518 30801->30534 30802->30551 30803->30558 30804->30513 30805->30526 30806->30514 30807->30535 30808->30519 30809->30538 30810->30532 30811->30548 30812->30566 30813->30536 30814->30544 30815->30564 30816->30549 30817->30579 30818->30569 30819->30580 30820->30588 30821->30594 30822->30598 30825->30589 30826->30593 30827->30597 30828->30602 30831->30562 30832->30578 30833->30540 30834->30553 30835->30565 30836->30577 30837->30586 30838->30470 30839->30476 30840->30478 30841->30481 30842->30488 30843->30491 30844->30495 30845->30499 30846->30608 30848 1e7df3 __EH_prolog 30847->30848 30884 1dd6a9 30848->30884 30851 1e80da 30858 1e80e4 __EH_prolog 30851->30858 30852 1e818a 30990 1e7d92 malloc _CxxThrowException free memcpy 30852->30990 30854 1e8192 30991 1e8f3c 11 API calls 2 library calls 30854->30991 30855 1e7db4 malloc _CxxThrowException free memcpy 30855->30858 30857 1e819a 30857->30617 30857->30630 30858->30852 30858->30855 30858->30857 30860 1e9828 ctype free 30858->30860 30900 1e81b1 30858->30900 30860->30858 30861->30621 30862->30630 30863->30630 30864->30630 30865->30622 30866->30627 30868 1d7dc0 30867->30868 30869 1d7c08 6 API calls 30868->30869 30870 1d7dcc 30869->30870 30870->30637 30871->30637 30872->30637 30873->30633 30874->30640 30875->30645 30876->30645 30877->30649 30878->30657 30879->30660 30880->30662 30881->30664 30882->30666 30883->30668 30895 204970 30884->30895 30886 1dd6b3 GetCurrentProcess 30896 1dd747 30886->30896 30888 1dd6d0 OpenProcessToken 30889 1dd726 30888->30889 30890 1dd6e1 LookupPrivilegeValueW 30888->30890 30892 1dd747 FindCloseChangeNotification 30889->30892 30890->30889 30891 1dd703 AdjustTokenPrivileges 30890->30891 30891->30889 30893 1dd718 GetLastError 30891->30893 30894 1dd732 30892->30894 30893->30889 30894->30851 30895->30886 30897 1dd754 FindCloseChangeNotification 30896->30897 30898 1dd750 30896->30898 30899 1dd764 30897->30899 30898->30888 30899->30888 30902 1e81bb __EH_prolog 30900->30902 30901 1e865a 30901->30858 30902->30901 30909 1e86d2 30902->30909 30985 1e8219 30902->30985 30903 1e886a 30904 1d28d9 2 API calls 30903->30904 30905 1e8883 30904->30905 30906 1d624b 4 API calls 30905->30906 30907 1e8898 30906->30907 30914 1d28d9 2 API calls 30907->30914 30908 1e8753 31020 1d62df 6 API calls 2 library calls 30908->31020 30909->30903 30909->30908 30910 1e8652 31015 1d1ab0 free 30910->31015 30912 1d287e 2 API calls 30912->30985 30951 1e88ab 30914->30951 30915 1d287e 2 API calls 30974 1e8515 30915->30974 30916 1e882e 30918 1e9828 ctype free 30916->30918 30917 1d29ac 2 API calls 30967 1e876b 30917->30967 30918->30901 30920 1e8844 31023 1d1ab0 free 30920->31023 30922 1d28d9 2 API calls 30922->30985 30923 1e8932 31027 1e7c19 GetLastError 30923->31027 30924 1d28d9 2 API calls 30924->30974 30926 1e8940 31028 1d1ab0 free 30926->31028 30929 1d1089 4 API calls 30929->30985 30930 1e8851 30934 1e9828 ctype free 30930->30934 30931 1e893c 30931->30926 30935 1e8964 30931->30935 30933 1d28d9 2 API calls 30933->30967 30934->30901 31030 1d1ab0 free 30935->31030 30936 1e8948 31029 1d1ab0 free 30936->31029 30938 1d2a7c 3 API calls 30938->30985 30939 1e8ed4 4 API calls 30939->30974 30942 1d5cf7 36 API calls 30942->30985 30944 1e896e 31031 1d1ab0 free 30944->31031 30945 1d2a7c 3 API calls 30945->30974 30946 1d2a7c 3 API calls 30946->30967 30947 1e8954 30948 1d58a4 FindClose 30947->30948 30948->30901 30951->30923 30951->30926 30951->30935 30963 1d28d9 2 API calls 30951->30963 31024 1d62b3 11 API calls 30951->31024 31025 1e8c48 58 API calls 2 library calls 30951->31025 31026 1d1ab0 free 30951->31026 30952 1d5cf7 36 API calls 30952->30974 30953 1e8979 30958 1d58a4 FindClose 30953->30958 30957 1d1089 4 API calls 30957->30974 30958->30901 30959 1e9828 ctype free 30959->30974 30960 1e8583 31013 1d1ab0 free 30960->31013 30961 1e883f 31022 1d1ab0 free 30961->31022 30963->30951 30964 1d1ab0 free ctype 30964->30967 30966 1e86b0 31017 1d1ab0 free 30966->31017 30967->30916 30967->30917 30967->30920 30967->30933 30967->30946 30967->30961 30967->30964 31021 1e8c48 58 API calls 2 library calls 30967->31021 30970 1e8594 31018 1d1ab0 free 30970->31018 30971 1d1ab0 free ctype 30971->30974 30972 1d1ab0 free ctype 30972->30985 30974->30910 30974->30915 30974->30924 30974->30939 30974->30945 30974->30952 30974->30957 30974->30959 30974->30966 30974->30971 31012 1d29da malloc _CxxThrowException free ctype 30974->31012 31014 1e89c1 58 API calls 2 library calls 30974->31014 31016 1e7c19 GetLastError 30974->31016 30976 1e9828 free ctype 30976->30985 30977 1e86c2 31019 1d1ab0 free 30977->31019 30984 1d150c malloc _CxxThrowException free memcpy 30984->30985 30985->30912 30985->30922 30985->30929 30985->30938 30985->30942 30985->30960 30985->30972 30985->30974 30985->30976 30985->30984 30986 1e8587 30985->30986 30992 1e8ed4 30985->30992 31002 1d29da malloc _CxxThrowException free ctype 30985->31002 31003 1e7c19 GetLastError 30985->31003 31004 1d3d9c 7 API calls 30985->31004 31005 1e7ecc 11 API calls 30985->31005 31006 1e7ac6 5 API calls __EH_prolog 30985->31006 31007 1e7fde 14 API calls 2 library calls 30985->31007 31008 1e8a5b 20 API calls 2 library calls 30985->31008 31009 1d3ab3 wcscmp 30985->31009 31010 1e0fe1 malloc _CxxThrowException free memcpy ctype 30985->31010 31011 1e89c1 58 API calls 2 library calls 30985->31011 30988 1e9828 ctype free 30986->30988 30988->30960 30990->30854 30991->30857 30993 1e8ede __EH_prolog 30992->30993 30994 1d29ac 2 API calls 30993->30994 30995 1e8eee 30994->30995 30996 1d2c61 4 API calls 30995->30996 30997 1e8efc 30996->30997 30998 1d1089 4 API calls 30997->30998 30999 1e8f06 30998->30999 31032 1d1ab0 free 30999->31032 31001 1e8f2b 31001->30985 31002->30985 31003->30985 31004->30985 31005->30985 31006->30985 31007->30985 31008->30985 31009->30985 31010->30985 31011->30985 31012->30974 31013->30970 31014->30974 31015->30901 31016->30974 31017->30970 31018->30977 31019->30901 31020->30967 31021->30967 31022->30920 31023->30930 31024->30951 31025->30951 31026->30951 31027->30931 31028->30936 31029->30947 31030->30944 31031->30953 31032->31001 31033->30677 31034->30681 31035->30683 31036->30685 31037->30687 31039 1dda9b __EH_prolog 31038->31039 31040 1d28d9 2 API calls 31039->31040 31041 1ddaee 31040->31041 31042 1d28d9 2 API calls 31041->31042 31043 1ddafa 31042->31043 31179 1ddc05 31043->31179 31046 1d28d9 2 API calls 31047 1ddb1b 31046->31047 31048 1d28d9 2 API calls 31047->31048 31049 1ddb8c 31048->31049 31050 1d1a89 ctype 2 API calls 31049->31050 31051 1ddbc0 31050->31051 31052 1dd6a9 6 API calls 31051->31052 31053 1ddbee 31052->31053 31053->30709 31055 1ea58d 31054->31055 31056 1ea594 31054->31056 31057 1d1a89 ctype 2 API calls 31055->31057 31056->30758 31057->31056 31059 1ea489 __EH_prolog 31058->31059 31060 1d28d9 2 API calls 31059->31060 31061 1ea4be 31060->31061 31062 1ea4d9 2 API calls 31061->31062 31063 1ea4ca 31062->31063 31063->30758 31066 1eab02 __EH_prolog 31064->31066 31065 1eab82 31065->30758 31068 1d1a89 ctype 2 API calls 31066->31068 31069 1eab3b 31066->31069 31067 1d1a89 ctype 2 API calls 31067->31069 31068->31069 31069->31065 31069->31067 31071 1ea625 __EH_prolog 31070->31071 31072 1d29ac 2 API calls 31071->31072 31073 1ea675 31072->31073 31074 1d29ac 2 API calls 31073->31074 31079 1ea68a 31074->31079 31075 1ea6c9 31187 1eacb2 31075->31187 31078 1d295f 2 API calls 31080 1ea6e7 31078->31080 31079->31075 31081 1d2a7c 3 API calls 31079->31081 31199 1d2f35 31080->31199 31081->31075 31149->30715 31150->30715 31151->30758 31152->30758 31153->30758 31154->30782 31155->30738 31156->30742 31157->30746 31158->30782 31159->30743 31160->30747 31161->30753 31162->30782 31163->30767 31164->30773 31165->30777 31166->30782 31167->30759 31168->30766 31169->30772 31170->30782 31171->30768 31172->30775 31173->30780 31174->30782 31175->30725 31176->30726 31177->30722 31178->30726 31180 1ddc0f __EH_prolog 31179->31180 31181 1d28d9 2 API calls 31180->31181 31182 1ddc1c 31181->31182 31183 1d28d9 2 API calls 31182->31183 31184 1ddc36 31183->31184 31185 1d28d9 2 API calls 31184->31185 31186 1ddb0c 31185->31186 31186->31046 31188 1eacbc __EH_prolog 31187->31188 31189 1d29ac 2 API calls 31188->31189 31190 1eaccf 31189->31190 31266 1ead16 31190->31266 31193 1eacf3 31195 1d29ac 2 API calls 31193->31195 31196 1eacfe 31195->31196 31270 1d1ab0 free 31196->31270 31198 1ea6d4 31198->31078 31200 1d2f99 31199->31200 31267 1ead1e 31266->31267 31268 1eace3 31267->31268 31272 1d2e27 malloc _CxxThrowException free _CxxThrowException memmove 31267->31272 31268->31193 31271 1d29da malloc _CxxThrowException free ctype 31268->31271 31270->31198 31271->31193 31272->31268 31299->30787 31300->30788 31301 204dbd __setusermatherr 31302 204dc9 31301->31302 31306 204e74 _controlfp 31302->31306 31304 204dce _initterm __getmainargs _initterm __p___initenv 31305 2020df 31304->31305 31306->31304 31307 1f35a1 31331 1f36ec 31307->31331 31310 1d28d9 2 API calls 31311 1f35d7 31310->31311 31312 1d28d9 2 API calls 31311->31312 31313 1f35e3 31312->31313 31315 1f3614 31313->31315 31339 1d55c0 31313->31339 31318 1f3641 31315->31318 31330 1f3665 31315->31330 31360 1d1ab0 free 31318->31360 31320 1f36b9 31364 1d1ab0 free 31320->31364 31321 1f3649 31361 1d1ab0 free 31321->31361 31324 1f36c1 31365 1d1ab0 free 31324->31365 31325 1d287e 2 API calls 31325->31330 31327 1f3651 31330->31320 31330->31325 31362 1d150c 4 API calls 2 library calls 31330->31362 31363 1d1ab0 free 31330->31363 31332 1f36f6 __EH_prolog 31331->31332 31333 1d28d9 2 API calls 31332->31333 31334 1f372a 31333->31334 31335 1d28d9 2 API calls 31334->31335 31336 1f3740 31335->31336 31337 1d28d9 2 API calls 31336->31337 31338 1f35a8 31337->31338 31338->31310 31340 1d5555 6 API calls 31339->31340 31341 1d55cc 31340->31341 31342 1d55da 31341->31342 31343 1d2a18 3 API calls 31341->31343 31344 1d2a18 3 API calls 31342->31344 31343->31342 31345 1d55f3 31344->31345 31346 1f3886 31345->31346 31347 1f3890 __EH_prolog 31346->31347 31348 1d2a7c 3 API calls 31347->31348 31349 1f38a5 31348->31349 31350 1d287e 2 API calls 31349->31350 31351 1f38b2 31350->31351 31352 1d5cf7 36 API calls 31351->31352 31353 1f38c1 31352->31353 31366 1d1ab0 free 31353->31366 31355 1f38d5 31356 1f38ef 31355->31356 31357 1f38da _CxxThrowException 31355->31357 31358 1ed6f7 free 31356->31358 31357->31356 31359 1f38f7 31358->31359 31359->31315 31360->31321 31361->31327 31362->31330 31363->31330 31364->31324 31365->31327 31366->31355

                      Executed Functions

                      Function 001D7E8E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1747 1d7e8e-1d7eb3 GetCurrentProcess OpenProcessToken 1748 1d7f0b 1747->1748 1749 1d7eb5-1d7ec5 LookupPrivilegeValueW 1747->1749 1752 1d7f0e-1d7f13 1748->1752 1750 1d7efd 1749->1750 1751 1d7ec7-1d7eeb AdjustTokenPrivileges 1749->1751 1754 1d7f00-1d7f09 FindCloseChangeNotification 1750->1754 1751->1750 1753 1d7eed-1d7efb GetLastError 1751->1753 1753->1754 1754->1752
                      APIs
                      • GetCurrentProcess.KERNEL32(00000020,001DBAA9,?,76E33440,?,?,?,?,001DBAA9,001DB8EE), ref: 001D7EA4
                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,001DBAA9,001DB8EE), ref: 001D7EAB
                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 001D7EBD
                      • AdjustTokenPrivileges.KERNELBASE(001DBAA9,00000000,?,00000000,00000000,00000000), ref: 001D7EE3
                      • GetLastError.KERNEL32 ref: 001D7EED
                      • FindCloseChangeNotification.KERNELBASE(001DBAA9,?,?,?,?,001DBAA9,001DB8EE), ref: 001D7F03
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ProcessToken$AdjustChangeCloseCurrentErrorFindLastLookupNotificationOpenPrivilegePrivilegesValue
                      • String ID: SeRestorePrivilege
                      • API String ID: 2838110999-1684392131
                      • Opcode ID: caf917bac9d4b8a9bbf8a30374974b4b861e38466e33e338dfd3f6a58f7a9bf7
                      • Instruction ID: f5c448b687dcaca542aa11b010a3faeaf112279d46a920f684e48c9744854371
                      • Opcode Fuzzy Hash: caf917bac9d4b8a9bbf8a30374974b4b861e38466e33e338dfd3f6a58f7a9bf7
                      • Instruction Fuzzy Hash: 55018076945228ABDB219BF1AC4DBDFBF7CEF05300F040055E942E2292E7758644CBA0
                      Function 001DD6A9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1755 1dd6a9-1dd6df call 204970 GetCurrentProcess call 1dd747 OpenProcessToken 1760 1dd726-1dd741 call 1dd747 1755->1760 1761 1dd6e1-1dd701 LookupPrivilegeValueW 1755->1761 1761->1760 1762 1dd703-1dd716 AdjustTokenPrivileges 1761->1762 1762->1760 1764 1dd718-1dd724 GetLastError 1762->1764 1764->1760
                      APIs
                      • __EH_prolog.LIBCMT ref: 001DD6AE
                      • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,0020D620,76E38E30), ref: 001DD6C0
                      • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,0020D620,76E38E30), ref: 001DD6D7
                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 001DD6F9
                      • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,0020D620,76E38E30), ref: 001DD70E
                      • GetLastError.KERNEL32(?,00000000,?,?,00000000,0020D620,76E38E30), ref: 001DD718
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                      • String ID: SeSecurityPrivilege
                      • API String ID: 3475889169-2333288578
                      • Opcode ID: 5a4ae3ca4e35f84dd54d12cd90b6c6a8b6404b0c08744e9e2b3acb348c5bdbfe
                      • Instruction ID: 7791963e2555695d941304893419f3c8eae03462a764e70c30d979f0fffd96b7
                      • Opcode Fuzzy Hash: 5a4ae3ca4e35f84dd54d12cd90b6c6a8b6404b0c08744e9e2b3acb348c5bdbfe
                      • Instruction Fuzzy Hash: 471121B19412199FDB10DFA4ECC9AFEB7BDFB04344F00456AE412E2292D7748944CA60
                      Function 001D58C4 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D58C9
                        • Part of subcall function 001D58A4: FindClose.KERNELBASE(00000000,?,001D58DC), ref: 001D58AF
                      • FindFirstFileW.KERNELBASE(?,?,00000001,00000000), ref: 001D5901
                      • FindFirstFileW.KERNELBASE(?,?,00000000,00000001,00000000), ref: 001D593A
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: Find$FileFirst$CloseH_prolog
                      • String ID:
                      • API String ID: 3371352514-0
                      • Opcode ID: 8dde856eea3cca5c2f7cee52bef247b5806dacde3254ea3dd0b087d46d9bc8ef
                      • Instruction ID: 34c58e7a4f852cb94781964ecbc97dbec04dd8960296fa220d7a9a7306563f9b
                      • Opcode Fuzzy Hash: 8dde856eea3cca5c2f7cee52bef247b5806dacde3254ea3dd0b087d46d9bc8ef
                      • Instruction Fuzzy Hash: 7811D03140060AEBCF14EF64C8919EDB77AEF21338F10422AE9A1573D2DB319E85DB90
                      Function 001FFC14 Relevance: 60.2, APIs: 15, Strings: 19, Instructions: 681COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 1ffc14-1ffc1b 1 1ffc21-1ffc2e call 1db6f7 0->1 2 1fff70-20013d call 1d150c * 2 call 1d1a89 0->2 8 1ffe2f-1ffe36 1->8 9 1ffc34-1ffc3b 1->9 45 20014a 2->45 46 20013f-200148 call 200ea9 2->46 10 1fff5d-1fff6b call 2013b3 8->10 11 1ffe3c-1ffe4e call 2012f6 8->11 13 1ffc3d-1ffc43 9->13 14 1ffc55-1ffc8a call 1fecf1 9->14 28 2007fe-200805 10->28 29 1ffe5a-1ffef1 call 1ed6f7 call 1d2322 call 1eb609 call 200b16 call 1d2400 11->29 30 1ffe50-1ffe54 11->30 13->14 15 1ffc45-1ffc50 call 1d2b7a 13->15 25 1ffc8c-1ffc92 14->25 26 1ffc9a 14->26 15->14 25->26 34 1ffc94-1ffc98 25->34 36 1ffc9e-1ffcdf call 1d2a7c call 201115 26->36 32 200815-200841 call 2017ba call 1d1ab0 call 1eab95 28->32 33 200807-20080e 28->33 88 1ffef9-1fff58 call 2014f8 call 1e9828 call 1d1ab0 * 2 call 201364 29->88 89 1ffef3 29->89 30->29 73 200843 call 1ecb0f 32->73 74 200848-20089e call 200a23 call 1d1ab0 call 1d11bb call 201c59 call 1e9828 32->74 33->32 38 200810 33->38 34->36 62 1ffceb-1ffcfb 36->62 63 1ffce1-1ffce5 36->63 43 200810 call 2017d5 38->43 43->32 50 20014c-200155 45->50 46->50 57 200157-200159 50->57 58 20015d-2001ba call 1d2a7c call 201023 50->58 57->58 80 2001c6-20024b call 200aa1 call 201d96 call 1dd33c call 1d28d9 call 1ebba8 58->80 81 2001bc-2001c0 58->81 67 1ffd0e 62->67 68 1ffcfd-1ffd03 62->68 63->62 71 1ffd15-1ffd9f call 1d2a7c call 1ed6f7 call 200b16 67->71 68->67 69 1ffd05-1ffd0c 68->69 69->71 103 1ffda3 call 1f59dd 71->103 73->74 128 200276-2002bc call 1e9af9 80->128 129 20024d-200271 call 1eb056 call 2017ba 80->129 81->80 88->28 89->88 108 1ffda8-1ffdb2 103->108 112 1ffdb4-1ffdbc call 202634 108->112 113 1ffdc1-1ffdca 108->113 112->113 119 1ffdcc 113->119 120 1ffdd2-1ffe2a call 2014f8 call 1e9828 call 1d1ab0 call 201217 call 1fee46 113->120 119->120 120->28 137 2002c1-2002ca 128->137 129->128 140 2002d6-2002d9 137->140 141 2002cc-2002d1 call 202634 137->141 144 200322-20032e 140->144 145 2002db-2002e2 140->145 141->140 146 200330-20033e call 1d1ca1 144->146 147 200392-20039e 144->147 149 2002e4-200311 call 1d1ca1 fputs call 1d1ca1 call 1d1cb4 call 1d1ca1 145->149 150 200316-200319 145->150 164 200340-200347 146->164 165 200349-20038d fputs call 1d1f3a call 1d1ca1 fputs call 1d1f3a call 1d1ca1 146->165 151 2003a0-2003a6 147->151 152 2003cd-2003d9 147->152 149->150 150->144 153 20031b 150->153 151->152 157 2003a8-2003c8 fputs call 1d1f3a call 1d1ca1 151->157 159 2003db-2003e1 152->159 160 20040c-20040e 152->160 153->144 157->152 166 2003e7-200407 fputs call 1d1f3a call 1d1ca1 159->166 167 20048d-200499 159->167 160->167 169 200410-20041f 160->169 164->147 164->165 165->147 166->160 175 20049b-2004a1 167->175 176 2004dd-2004e1 167->176 170 200421-200440 fputs call 1d1f3a call 1d1ca1 169->170 171 200445-200451 169->171 170->171 171->167 180 200453-200466 call 1d1ca1 171->180 181 2004e3 175->181 186 2004a3-2004b6 call 1d1ca1 175->186 176->181 182 2004ea-2004ec 176->182 180->167 205 200468-200488 fputs call 1d1f3a call 1d1ca1 180->205 181->182 190 2004f2-2004fe 182->190 191 2006a3-2006dc call 1ebc1c call 1d1ab0 call 201f69 call 1d1ab0 182->191 186->181 203 2004b8-2004d8 fputs call 1d1f3a call 1d1ca1 186->203 200 200504-200513 190->200 201 200667-20067d call 1d1ca1 190->201 245 2006e2-2006e8 191->245 246 2007e6-2007f9 call 1e9828 * 2 191->246 200->201 207 200519-20051d 200->207 201->191 219 20067f-20069c fputs call 1d1f3a 201->219 203->176 205->167 207->191 214 200523-200531 207->214 220 200533-200558 fputs call 1d1f3a call 1d1ca1 214->220 221 20055e-200565 214->221 219->191 237 20069e call 1d1ca1 219->237 220->221 222 200583-2005b1 fputs call 1d1f3a call 1d1ca1 221->222 223 200567-20056e 221->223 240 2005fa-20064f fputs call 1d1f3a call 1d1ca1 fputs call 1d1f3a call 1d1ca1 222->240 248 2005b3-2005f5 fputs call 1d1f3a call 1d1ca1 fputs call 1d1f3a call 1d1ca1 222->248 223->222 229 200570-200576 223->229 229->222 234 200578-200581 229->234 234->222 234->240 237->191 240->191 266 200651-200665 call 1d1ca1 call 1fcca6 240->266 245->246 246->28 248->240 266->191
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$ExceptionThrow
                      • String ID: Fv$7zCon.sfx$8T!$@T!$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings:
                      • API String ID: 3665150552-3758946205
                      • Opcode ID: dc126aad45d79e4fa0fdb3be81c9ed5b50820332a50237206c550f68e5825391
                      • Instruction ID: 9712499b4ab4cb538445f1c5e541f3fd0d4dba8427355b2e16e5aa5d19d8e37c
                      • Opcode Fuzzy Hash: dc126aad45d79e4fa0fdb3be81c9ed5b50820332a50237206c550f68e5825391
                      • Instruction Fuzzy Hash: 5B528831914259EFDF26EBA4CC95BEDBBB5BF94300F04409AE449A7292DB706E94CF10
                      Function 001FF363 Relevance: 58.5, APIs: 19, Strings: 14, Instructions: 736COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 271 1ff363-1ff376 call 201405 274 1ff389-1ff3a4 call 1dbb17 271->274 275 1ff378-1ff384 call 1d1cb4 271->275 279 1ff3a6-1ff3b2 274->279 280 1ff3b4 274->280 275->274 279->280 281 1ff3b7-1ff3c0 279->281 280->281 282 1ff3c2-1ff3d7 GetStdHandle GetConsoleScreenBufferInfo 281->282 283 1ff3e0-1ff456 call 1d1a89 call 2008ab call 201d47 call 1d910d * 2 call 1ecb3c 281->283 282->283 284 1ff3d9-1ff3dd 282->284 298 1ff45b-1ff473 call 2017ba call 1db6d3 283->298 284->283 303 1ff475-1ff477 298->303 304 1ff4e3-1ff50f call 1f3bf6 298->304 306 1ff479-1ff480 303->306 307 1ff491-1ff494 303->307 314 1ff527-1ff545 304->314 315 1ff511-1ff522 _CxxThrowException 304->315 306->307 308 1ff482-1ff48f call 1db6f7 306->308 309 1ff4cd-1ff4de _CxxThrowException 307->309 310 1ff496-1ff4c8 call 1d295f call 1d2c61 call 1d29ac _CxxThrowException 307->310 308->304 308->307 309->304 310->309 316 1ff547-1ff56b call 1ed0e7 314->316 317 1ff5a1-1ff5a5 314->317 315->314 328 1ff6e4-1ff6f5 _CxxThrowException 316->328 329 1ff571-1ff575 316->329 322 1ff5b9-1ff5c6 call 1d877c call 2017ba 317->322 323 1ff5a7-1ff5ae 317->323 331 1ff5cb-1ff5e7 322->331 323->322 326 1ff5b0-1ff5b7 323->326 326->322 326->331 337 1ff6fa 328->337 329->328 335 1ff57b-1ff59f call 201e55 call 1d1ab0 329->335 338 1ff5ee-1ff61a call 1d1ca1 fputs call 1d1ca1 331->338 339 1ff5e9 331->339 335->316 335->317 341 1ff6fc-1ff712 337->341 354 1ff61c-1ff657 call 20149d fputc call 1d1cb4 call 1d1ca1 338->354 355 1ff659-1ff68f call 1d1ca1 fputs call 1d1ca1 strlen 338->355 339->338 349 1ff714-1ff744 call 2014ca call 1d28d9 341->349 350 1ff6d0-1ff6da 341->350 376 1ff746-1ff74a 349->376 377 1ff7a3-1ff7bb call 2014ca 349->377 350->337 352 1ff6dc-1ff6e2 350->352 352->341 354->355 367 1ff8b8-1ff8e0 call 1d1ca1 fputs call 1d1ca1 355->367 368 1ff695-1ff6ce call 20149d fputc 355->368 388 1ff989-1ff998 367->388 389 1ff8e6 367->389 368->349 368->350 380 1ff74c-1ff74f call 1d2be6 376->380 381 1ff754-1ff770 call 1d2c61 376->381 396 1ff7de-1ff7e6 377->396 397 1ff7bd-1ff7dd fputs call 1d1f11 377->397 380->381 392 1ff798-1ff7a1 381->392 393 1ff772-1ff793 call 1d2c9d call 1d2c61 call 1d1089 381->393 403 1ffa7e-1ffaa6 call 1d1ca1 fputs call 1d1ca1 388->403 404 1ff99e-1ff9a3 388->404 390 1ff8ed-1ff902 call 20149d 389->390 409 1ff90e-1ff911 call 1d1f11 390->409 410 1ff904-1ff90c 390->410 392->376 392->377 393->392 399 1ff7ec-1ff7f0 396->399 400 1ff892-1ff8b2 call 1d1ca1 call 1d1ab0 396->400 397->396 406 1ff7f2-1ff800 fputs 399->406 407 1ff801-1ff815 399->407 400->367 400->368 436 1ffb0d-1ffb20 403->436 437 1ffaa8 403->437 404->403 412 1ff9a9-1ff9c7 call 1ed330 call 20149d call 1ed36f 404->412 406->407 417 1ff817-1ff81b 407->417 418 1ff883-1ff88c 407->418 427 1ff916-1ff983 call 201c31 fputs call 1d1ca1 409->427 410->427 452 1ff9c9-1ff9d1 412->452 453 1ff9d3-1ff9d6 call 1d1f11 412->453 424 1ff81d-1ff827 417->424 425 1ff828-1ff832 417->425 418->399 418->400 424->425 432 1ff838-1ff844 425->432 433 1ff834-1ff836 425->433 427->388 427->390 440 1ff84b 432->440 441 1ff846-1ff849 432->441 433->432 439 1ff86b-1ff881 433->439 454 1ffb26-1ffba0 call 1ed340 call 20149d call 1ed5ae call 201436 call 1ed4c0 call 201c31 call 1ed525 fputs call 1d1ca1 call 1d1ab0 436->454 455 2007fe-200805 436->455 444 1ffaaf-1ffb0b call 20149d call 201436 call 201c31 fputs call 1d1ca1 437->444 439->417 439->418 445 1ff84e-1ff861 440->445 441->445 444->436 464 1ff868 445->464 465 1ff863-1ff866 445->465 469 1ff9db-1ffa27 call 1ed35e call 1ed34d call 1ed3d2 452->469 453->469 539 1ffba2 454->539 458 200815-200841 call 2017ba call 1d1ab0 call 1eab95 455->458 459 200807-20080e 455->459 495 200843 call 1ecb0f 458->495 496 200848-20089e call 200a23 call 1d1ab0 call 1d11bb call 201c59 call 1e9828 458->496 459->458 467 200810 call 2017d5 459->467 464->439 465->439 467->458 518 1ffa29-1ffa2d 469->518 519 1ffa31-1ffa78 call 201c31 call 1ed43b fputs call 1d1ca1 call 1d1ab0 469->519 495->496 518->519 519->403 519->412 539->455
                      APIs
                        • Part of subcall function 00201405: fputs.MSVCRT ref: 0020141E
                        • Part of subcall function 00201405: fputs.MSVCRT ref: 0020142E
                      • GetStdHandle.KERNEL32(000000F5,?,?), ref: 001FF3C8
                      • GetConsoleScreenBufferInfo.KERNEL32(00000000), ref: 001FF3CF
                      • _CxxThrowException.MSVCRT(?,00211ED8), ref: 001FF4C8
                      • _CxxThrowException.MSVCRT(?,0020EAC0), ref: 001FF4DE
                        • Part of subcall function 001D1CB4: __EH_prolog.LIBCMT ref: 001D1CB9
                        • Part of subcall function 001D1CB4: fputs.MSVCRT ref: 001D1D2C
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$ExceptionThrow$BufferConsoleH_prologHandleInfoScreen
                      • String ID: || $ Fv$@T!$Can't load module: $Codecs:$Formats:$Hashers:$KSNFMGOPBELH$Libs:$XT!$offset=$6)$X#$!
                      • API String ID: 3818720731-1604991587
                      • Opcode ID: 1b7ffb4e3409c5af7e5491ebd007863d07b57b10dbd59d3084dd1f8472ddb60a
                      • Instruction ID: 5455534acddb270059c1faa6223c5ad9b6e157de1acd224230d59e2d3f62be25
                      • Opcode Fuzzy Hash: 1b7ffb4e3409c5af7e5491ebd007863d07b57b10dbd59d3084dd1f8472ddb60a
                      • Instruction Fuzzy Hash: F952BC71A00218EFDF15EFA4D885BBDBBB5FF58300F20009AE505A7292CB759A95CF61
                      Function 0020001D Relevance: 56.5, APIs: 14, Strings: 18, Instructions: 501COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 542 20001d-200024 543 200026-200037 call 1d1ca1 542->543 544 20003c-2000d2 call 1fb0e7 call 1d28d9 call 1e9213 call 1d1ab0 542->544 543->544 555 2000e1-2000e4 544->555 556 2000d4-2000dc call 202634 544->556 558 200101-200119 call 20259b 555->558 559 2000e6-2000ed 555->559 556->555 564 2007e6-200805 call 1e9828 * 2 558->564 565 20011f-20013d call 1d1a89 558->565 559->558 560 2000ef-2000fc call 1fb485 559->560 560->558 575 200815-200841 call 2017ba call 1d1ab0 call 1eab95 564->575 576 200807-20080e 564->576 573 20014a 565->573 574 20013f-200148 call 200ea9 565->574 577 20014c-200155 573->577 574->577 597 200843 call 1ecb0f 575->597 598 200848-20089e call 200a23 call 1d1ab0 call 1d11bb call 201c59 call 1e9828 575->598 576->575 579 200810 call 2017d5 576->579 582 200157-200159 577->582 583 20015d-2001ba call 1d2a7c call 201023 577->583 579->575 582->583 593 2001c6-20024b call 200aa1 call 201d96 call 1dd33c call 1d28d9 call 1ebba8 583->593 594 2001bc-2001c0 583->594 618 200276-2002bc call 1e9af9 593->618 619 20024d-200271 call 1eb056 call 2017ba 593->619 594->593 597->598 625 2002c1-2002ca 618->625 619->618 627 2002d6-2002d9 625->627 628 2002cc-2002d1 call 202634 625->628 630 200322-20032e 627->630 631 2002db-2002e2 627->631 628->627 632 200330-20033e call 1d1ca1 630->632 633 200392-20039e 630->633 634 2002e4-200311 call 1d1ca1 fputs call 1d1ca1 call 1d1cb4 call 1d1ca1 631->634 635 200316-200319 631->635 647 200340-200347 632->647 648 200349-20038d fputs call 1d1f3a call 1d1ca1 fputs call 1d1f3a call 1d1ca1 632->648 636 2003a0-2003a6 633->636 637 2003cd-2003d9 633->637 634->635 635->630 638 20031b 635->638 636->637 641 2003a8-2003c8 fputs call 1d1f3a call 1d1ca1 636->641 643 2003db-2003e1 637->643 644 20040c-20040e 637->644 638->630 641->637 649 2003e7-200407 fputs call 1d1f3a call 1d1ca1 643->649 650 20048d-200499 643->650 644->650 652 200410-20041f 644->652 647->633 647->648 648->633 649->644 658 20049b-2004a1 650->658 659 2004dd-2004e1 650->659 653 200421-200440 fputs call 1d1f3a call 1d1ca1 652->653 654 200445-200451 652->654 653->654 654->650 663 200453-200466 call 1d1ca1 654->663 664 2004e3 658->664 669 2004a3-2004b6 call 1d1ca1 658->669 659->664 665 2004ea-2004ec 659->665 663->650 688 200468-200488 fputs call 1d1f3a call 1d1ca1 663->688 664->665 673 2004f2-2004fe 665->673 674 2006a3-2006dc call 1ebc1c call 1d1ab0 call 201f69 call 1d1ab0 665->674 669->664 686 2004b8-2004d8 fputs call 1d1f3a call 1d1ca1 669->686 683 200504-200513 673->683 684 200667-20067d call 1d1ca1 673->684 674->564 728 2006e2-2006e8 674->728 683->684 690 200519-20051d 683->690 684->674 702 20067f-20069c fputs call 1d1f3a 684->702 686->659 688->650 690->674 697 200523-200531 690->697 703 200533-200558 fputs call 1d1f3a call 1d1ca1 697->703 704 20055e-200565 697->704 702->674 720 20069e call 1d1ca1 702->720 703->704 705 200583-2005b1 fputs call 1d1f3a call 1d1ca1 704->705 706 200567-20056e 704->706 723 2005fa-20064f fputs call 1d1f3a call 1d1ca1 fputs call 1d1f3a call 1d1ca1 705->723 730 2005b3-2005f5 fputs call 1d1f3a call 1d1ca1 fputs call 1d1f3a call 1d1ca1 705->730 706->705 712 200570-200576 706->712 712->705 717 200578-200581 712->717 717->705 717->723 720->674 723->674 745 200651-200665 call 1d1ca1 call 1fcca6 723->745 728->564 730->723 745->674
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputc
                      • String ID: Fv$8T!$@T!$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings:
                      • API String ID: 1992160199-3742663923
                      • Opcode ID: 9b3de20ce4177c004045a3914ecf2198169d491872bbdc3572f81599345e4e09
                      • Instruction ID: cb06f936f5934510e31d1c96e0d2c682716cc2b304b999098cfa196e8526967b
                      • Opcode Fuzzy Hash: 9b3de20ce4177c004045a3914ecf2198169d491872bbdc3572f81599345e4e09
                      • Instruction Fuzzy Hash: 59228A31915358EFDF26EBA4CC95BEDFBB2AF94300F00409AE04967292DB706A94DF10
                      Function 001DB70D Relevance: 42.3, APIs: 16, Strings: 8, Instructions: 277COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 750 1db70d-1db740 call 204970 call 1d13e5 755 1db75e-1db7ba _fileno _isatty _fileno _isatty _fileno _isatty 750->755 756 1db742-1db759 call 1e96ec _CxxThrowException 750->756 758 1db7cc-1db7ce 755->758 759 1db7bc-1db7c0 755->759 756->755 760 1db7cf-1db80c 758->760 759->758 762 1db7c2-1db7c6 759->762 763 1db80e-1db812 760->763 764 1db81a 760->764 762->758 765 1db7c8-1db7ca 762->765 763->764 766 1db814-1db818 763->766 767 1db821-1db825 764->767 765->760 766->764 766->767 768 1db82e-1db838 767->768 769 1db827 767->769 770 1db83a-1db83d 768->770 771 1db843-1db84d 768->771 769->768 770->771 772 1db84f-1db852 771->772 773 1db858-1db862 771->773 772->773 774 1db86d-1db873 773->774 775 1db864-1db867 773->775 776 1db875-1db881 774->776 777 1db8c3-1db8cc 774->777 775->774 780 1db88f-1db89b call 1dbab5 776->780 781 1db883-1db88d 776->781 778 1db8ce-1db8e6 777->778 779 1db8e9 call 1dba9d 777->779 778->779 785 1db8ee-1db8f7 779->785 786 1db89d-1db8b5 call 1e96ec _CxxThrowException 780->786 787 1db8ba-1db8bd 780->787 781->777 788 1db8f9-1db909 785->788 789 1db973 785->789 786->787 787->777 791 1db90b 788->791 792 1db934-1db946 wcscmp 788->792 793 1db975-1db97e 789->793 796 1db912-1db91a call 1d7f14 791->796 795 1db948-1db954 call 1dbab5 792->795 792->796 797 1dba8c-1dba9a 793->797 798 1db984-1db98f 793->798 795->796 807 1db956-1db96e call 1e96ec _CxxThrowException 795->807 796->793 805 1db91c-1db932 call 204170 call 1d7e8e 796->805 798->797 799 1db995-1db9ad call 1d2322 call 1d2451 798->799 815 1db9af-1db9c4 call 1d335d 799->815 816 1db9d6-1db9ee call 1e96ec _CxxThrowException 799->816 805->793 807->789 822 1db9c6-1db9cd 815->822 823 1db9d0-1db9d4 815->823 824 1db9f3-1db9f6 816->824 822->823 823->816 823->824 825 1db9f8 824->825 826 1dba1b-1dba43 call 1d2c9d call 1dbaf0 GetCurrentProcess SetProcessAffinityMask 824->826 828 1db9fe-1dba16 call 1e96ec _CxxThrowException 825->828 829 1db9fa-1db9fc 825->829 835 1dba7c-1dba8b call 1d2bee call 1d1ab0 826->835 836 1dba45-1dba7b GetLastError call 1d2c9d call 1d4b2f call 1d2c61 call 1d1ab0 826->836 828->826 829->826 829->828 835->797 836->835
                      APIs
                      • __EH_prolog.LIBCMT ref: 001DB712
                        • Part of subcall function 001D13E5: __EH_prolog.LIBCMT ref: 001D13EA
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DB759
                      • _fileno.MSVCRT ref: 001DB76A
                      • _isatty.MSVCRT ref: 001DB76D
                      • _fileno.MSVCRT ref: 001DB787
                      • _isatty.MSVCRT ref: 001DB78A
                      • _fileno.MSVCRT ref: 001DB7A1
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DB8B5
                      • wcscmp.MSVCRT ref: 001DB93C
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DB96E
                      • _isatty.MSVCRT ref: 001DB7A4
                        • Part of subcall function 001E96EC: __EH_prolog.LIBCMT ref: 001E96F1
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DB9EE
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DBA16
                      • GetCurrentProcess.KERNEL32(?,?,00000000,Set process affinity mask: ,?,0020EF08,Unsupported switch postfix -stm,?,?), ref: 001DBA34
                      • SetProcessAffinityMask.KERNEL32(00000000), ref: 001DBA3B
                      • GetLastError.KERNEL32(?,?,00000000,Set process affinity mask: ,?,0020EF08,Unsupported switch postfix -stm,?,?), ref: 001DBA45
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                      • String ID: : ERROR : $@4v$SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                      • API String ID: 1826148334-2312418150
                      • Opcode ID: 6d69cc8241251295dfaa71dd0e16820f516a6bdc3a1534ea4041452c9f15d74b
                      • Instruction ID: 2c70777092de695a8d89e10912b1105cc4a7b61f4cf61c6a530aff5a0a05590c
                      • Opcode Fuzzy Hash: 6d69cc8241251295dfaa71dd0e16820f516a6bdc3a1534ea4041452c9f15d74b
                      • Instruction Fuzzy Hash: 21B1E271A08385DFDB11DFA4C8C9BD9BBF4AF25304F05849AE49697393CB74A984CB50
                      Function 001EC2CA Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 271libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 849 1ec2ca-1ec317 call 204970 GetProcAddress * 2 852 1ec319-1ec324 GetProcAddress 849->852 853 1ec335-1ec343 GetProcAddress 849->853 854 1ec349-1ec34e 852->854 855 1ec326-1ec32e 852->855 853->854 856 1ec5b5 853->856 854->856 858 1ec354-1ec385 call 1ec61c call 1ec7b9 854->858 855->854 861 1ec330 855->861 857 1ec5b7-1ec5c5 856->857 865 1ec38b-1ec3ae call 1ec6b5 858->865 866 1ec5c6-1ec5c8 858->866 861->857 871 1ec3b7-1ec3ce call 1d8161 call 1ec8e2 865->871 872 1ec3b0-1ec3b5 865->872 868 1ec609-1ec61a call 1ec8e2 866->868 868->857 885 1ec5ab-1ec5af 871->885 872->871 874 1ec3d3-1ec3df SysStringByteLen 872->874 877 1ec5ca-1ec5e6 call 1d8161 call 1ec8e2 874->877 878 1ec3e5-1ec433 call 1d8161 * 2 call 1d28d9 * 2 call 1ec7b9 874->878 877->857 896 1ec5e8-1ec5ea 878->896 897 1ec439-1ec44b call 1ec7b9 878->897 885->856 885->858 899 1ec5f7-1ec608 call 1d1ab0 * 2 896->899 897->896 903 1ec451-1ec494 call 1ebf49 call 1ec6cf call 1ec741 897->903 899->868 903->896 912 1ec49a-1ec4a5 903->912 913 1ec4a7 912->913 914 1ec4e4-1ec502 call 1ec832 912->914 915 1ec4ae-1ec4ca call 1ec6cf 913->915 920 1ec5ec-1ec5f6 call 1d1ab0 914->920 921 1ec508-1ec50f 914->921 923 1ec4cc-1ec4d1 915->923 924 1ec4d7-1ec4e2 915->924 920->899 925 1ec51b-1ec529 call 1ec832 921->925 926 1ec511-1ec519 call 1ed6b0 921->926 923->924 924->914 924->915 925->920 932 1ec52f-1ec539 call 1ec659 925->932 933 1ec53e-1ec557 call 1ec741 926->933 932->933 933->920 937 1ec55d-1ec560 933->937 938 1ec56d-1ec57a call 1ed80d 937->938 939 1ec562-1ec569 937->939 941 1ec57f-1ec5a9 call 1d1ab0 * 3 call 1ec8e2 938->941 939->938 941->885
                      APIs
                      • __EH_prolog.LIBCMT ref: 001EC2CF
                      • GetProcAddress.KERNEL32(00000004,GetHandlerProperty2), ref: 001EC2FC
                      • GetProcAddress.KERNEL32(00000004,GetIsArc), ref: 001EC308
                      • GetProcAddress.KERNEL32(00000004,GetNumberOfFormats), ref: 001EC320
                      • GetProcAddress.KERNEL32(00000004,GetHandlerProperty), ref: 001EC33C
                      • SysStringByteLen.OLEAUT32(?), ref: 001EC3D6
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressProc$ByteH_prologStringfree
                      • String ID: GetHandlerProperty$GetHandlerProperty2$GetIsArc$GetNumberOfFormats
                      • API String ID: 655409697-3984264347
                      • Opcode ID: 355fcd7b66f9385276039242ad35f58a75967cb76286321523888623ed97385b
                      • Instruction ID: 13247a7df443b0bab778412ef47e63c1f57a2cd634b25d7b0150576ad6bc70d3
                      • Opcode Fuzzy Hash: 355fcd7b66f9385276039242ad35f58a75967cb76286321523888623ed97385b
                      • Instruction Fuzzy Hash: 20A17171E00699AFCF14EBA5CD85AEEBBB9BF54300F10415AE405B3291DB70AE46CF91
                      Function 001EC0DF Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 132libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 950 1ec0df-1ec123 GetProcAddress * 3 951 1ec1eb-1ec1f6 GetProcAddress 950->951 952 1ec129-1ec13b GetProcAddress 950->952 955 1ec1f8-1ec200 951->955 956 1ec242 951->956 953 1ec13d-1ec145 952->953 954 1ec14b-1ec153 952->954 953->954 958 1ec244-1ec248 953->958 954->951 957 1ec159 954->957 955->958 962 1ec202-1ec206 955->962 956->958 959 1ec15e-1ec178 call 1ec249 957->959 965 1ec17d-1ec17f 959->965 962->956 964 1ec208-1ec217 962->964 964->956 969 1ec219 964->969 965->958 966 1ec185-1ec19c call 1ec249 965->966 966->958 972 1ec1a2-1ec1dc call 1edaaa 966->972 971 1ec21c-1ec240 call 1d916b 969->971 971->956 977 1ec15b 972->977 978 1ec1e2-1ec1e8 972->978 977->959 978->951
                      APIs
                      • GetProcAddress.KERNEL32(00000004,CreateDecoder), ref: 001EC104
                      • GetProcAddress.KERNEL32(00000004,CreateEncoder), ref: 001EC110
                      • GetProcAddress.KERNEL32(00000004,GetMethodProperty), ref: 001EC11C
                      • GetProcAddress.KERNEL32(00000004,GetNumberOfMethods), ref: 001EC137
                      • GetProcAddress.KERNEL32(00000004,GetHashers), ref: 001EC1F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: CreateDecoder$CreateEncoder$GetHashers$GetMethodProperty$GetNumberOfMethods
                      • API String ID: 190572456-73314117
                      • Opcode ID: 8dc070c995db1770fc5544499949024f678673a0a849dbda7360b22ee2022520
                      • Instruction ID: 12787b869b8ca2cb4715da796f3100857713d3082baf676e4bfc22689edb328a
                      • Opcode Fuzzy Hash: 8dc070c995db1770fc5544499949024f678673a0a849dbda7360b22ee2022520
                      • Instruction Fuzzy Hash: 63412C75E0071AABCF14DFA5CD80A9EBBB5FF58300F104056E915AB245D770EA56CF90
                      Function 001DE720 Relevance: 15.7, APIs: 2, Strings: 6, Instructions: 1665COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001DE725
                        • Part of subcall function 001D374C: __EH_prolog.LIBCMT ref: 001D3751
                        • Part of subcall function 001D3733: wcscmp.MSVCRT ref: 001D373E
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$wcscmp
                      • String ID: $Can not seek to begin of file$Dangerous link path was ignored$Incorrect path$Internal error for symbolic link file$\??\
                      • API String ID: 3232955128-2809321072
                      • Opcode ID: 2db6192e9f7ed590f550f46b8894de517cd072a2ae27497758e03ddd1f3179c7
                      • Instruction ID: d99e9c484da843b700c5e0da55c418f62e429b1688d997956462ef3462cd4738
                      • Opcode Fuzzy Hash: 2db6192e9f7ed590f550f46b8894de517cd072a2ae27497758e03ddd1f3179c7
                      • Instruction Fuzzy Hash: 75E27E31900289EFCF25EFA4C991AEDBBB1BF24304F14446FE456AB352DB316A46DB11
                      Function 00204D46 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                      • String ID: 4P!
                      • API String ID: 4012487245-720492884
                      • Opcode ID: 719cbabfa0e8489957aac1dac7babe0de552758724468ec5692b07c60fb79fea
                      • Instruction ID: 37c3a19880f9c3ffd520b185a01185975b6bb441aa59e652f3b07b4b36844c4d
                      • Opcode Fuzzy Hash: 719cbabfa0e8489957aac1dac7babe0de552758724468ec5692b07c60fb79fea
                      • Instruction Fuzzy Hash: 4E212C75910715EFCB11AFA4EC4EADABBB8FB5D720F008255E516A22E2CB345490CF60
                      Function 00204DBD Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 43COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                      • String ID: 4P!
                      • API String ID: 279829931-720492884
                      • Opcode ID: 89871b363b49331d9d08d5fb364d5e309cd10a25601fa9684041fa43ced68739
                      • Instruction ID: e72d9ad2ed7a1a284a6be344c1e4d79fa37f26ab5a35eb34990daf4cfe6dcc96
                      • Opcode Fuzzy Hash: 89871b363b49331d9d08d5fb364d5e309cd10a25601fa9684041fa43ced68739
                      • Instruction Fuzzy Hash: AD01DBB5910719EFDF05ABE0EC49CEEB7B9FB5D310B104055F602A62A2DB369850CF60
                      Function 001D5CF7 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 350COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1766 1d5cf7-1d5d15 call 204970 call 1d7141 1771 1d5dbc-1d5dc7 call 1d73b1 1766->1771 1772 1d5d1b-1d5d3b call 1d5c57 call 1d2a18 call 1d72bc 1766->1772 1778 1d5dcd-1d5dd3 1771->1778 1779 1d5f7e-1d5f94 call 1d72e5 1771->1779 1792 1d5d3d-1d5d42 1772->1792 1793 1d5d83-1d5d96 call 1d689f 1772->1793 1778->1779 1782 1d5dd9-1d5dfc call 1d291c * 2 1778->1782 1787 1d5f99-1d5fa6 call 1d70b1 1779->1787 1788 1d5f96-1d5f98 1779->1788 1799 1d5dfe-1d5e04 1782->1799 1800 1d5e09-1d5e0f 1782->1800 1801 1d5fa8-1d5fae 1787->1801 1802 1d5ffb-1d6002 1787->1802 1788->1787 1792->1793 1797 1d5d44-1d5d71 call 1d7dcd 1792->1797 1804 1d5d9c-1d5da0 1793->1804 1805 1d5d98-1d5d9a 1793->1805 1797->1793 1821 1d5d73-1d5d7e 1797->1821 1799->1800 1806 1d5e26-1d5e2e call 1d2c9d 1800->1806 1807 1d5e11-1d5e24 call 1d20c3 1800->1807 1801->1802 1810 1d5fb0-1d5fbc call 1d5c7a 1801->1810 1808 1d600e-1d6015 1802->1808 1809 1d6004-1d6008 1802->1809 1813 1d5dad 1804->1813 1814 1d5da2-1d5daa 1804->1814 1812 1d5daf-1d5db7 call 1d6470 1805->1812 1827 1d5e33-1d5e40 call 1d72bc 1806->1827 1807->1806 1807->1827 1817 1d6047-1d604e call 1d725f 1808->1817 1818 1d6017-1d6021 call 1d5c7a 1808->1818 1809->1808 1816 1d60ec-1d60f1 call 1d58c4 1809->1816 1810->1816 1835 1d5fc2-1d5fc5 1810->1835 1838 1d6100 1812->1838 1813->1812 1814->1813 1834 1d60f6 1816->1834 1817->1816 1837 1d6054-1d605f 1817->1837 1818->1816 1839 1d6027-1d602a 1818->1839 1823 1d6147-1d6149 1821->1823 1836 1d6102-1d6110 1823->1836 1845 1d5e78-1d5e82 call 1d5cf7 1827->1845 1846 1d5e42-1d5e45 1827->1846 1841 1d60f8-1d60fb call 1d58a4 1834->1841 1835->1816 1842 1d5fcb-1d5fe8 call 1d5c57 call 1d2a18 1835->1842 1837->1816 1843 1d6065-1d606c call 1d7069 1837->1843 1838->1836 1839->1816 1844 1d6030-1d6045 call 1d5c57 1839->1844 1841->1838 1866 1d5ff4-1d5ff6 1842->1866 1867 1d5fea-1d5fef 1842->1867 1843->1816 1863 1d606e-1d60a1 call 1d291c call 1d1089 * 2 call 1d58c4 1843->1863 1844->1866 1864 1d5f6c-1d5f7d call 1d1ab0 * 2 1845->1864 1865 1d5e88 1845->1865 1853 1d5e47-1d5e4a 1846->1853 1854 1d5e53-1d5e6b call 1d5c57 1846->1854 1853->1845 1860 1d5e4c-1d5e51 1853->1860 1868 1d5e6d-1d5e76 call 1d2a7c 1854->1868 1869 1d5e8a-1d5eb0 call 1d29ac call 1d28d9 1854->1869 1860->1845 1860->1854 1895 1d60c6-1d60d3 call 1d5c7a 1863->1895 1896 1d60a3-1d60b9 wcscmp 1863->1896 1864->1779 1865->1869 1866->1841 1867->1866 1868->1869 1884 1d5eb5-1d5ecb call 1d5c17 1869->1884 1889 1d5ecd-1d5ed1 1884->1889 1890 1d5f01-1d5f03 1884->1890 1892 1d5ef9-1d5efb SetLastError 1889->1892 1893 1d5ed3-1d5ee0 call 1d1fc7 1889->1893 1894 1d5f3b-1d5f67 call 1d1ab0 * 2 call 1d58a4 call 1d1ab0 * 2 1890->1894 1892->1890 1906 1d5f05-1d5f0b 1893->1906 1907 1d5ee2-1d5ef7 call 1d1ab0 call 1d28d9 1893->1907 1894->1838 1909 1d60d5-1d60d8 1895->1909 1910 1d6113-1d611d call 1d5c57 1895->1910 1897 1d60bb-1d60c0 1896->1897 1898 1d60c2 1896->1898 1902 1d6131-1d6142 call 1d2a18 call 1d1ab0 call 1d58a4 1897->1902 1898->1895 1902->1823 1918 1d5f0d-1d5f12 1906->1918 1919 1d5f1e-1d5f39 call 1d2c61 1906->1919 1907->1884 1915 1d60df-1d60eb call 1d1ab0 1909->1915 1916 1d60da-1d60dd 1909->1916 1928 1d611f-1d6122 1910->1928 1929 1d6124 1910->1929 1915->1816 1916->1910 1916->1915 1918->1919 1926 1d5f14-1d5f1a 1918->1926 1919->1894 1926->1919 1934 1d612b-1d612e 1928->1934 1929->1934 1934->1902
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D5CFC
                      • SetLastError.KERNEL32(00000002,?,00000000,00000001,:$DATA,00000001,00000000,00000001), ref: 001D5EFB
                        • Part of subcall function 001D7DCD: GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,756EF5D0,000000FF,00000000,?,?,?,?,?,?,?,?,?,001D6760,00000001), ref: 001D7DE9
                        • Part of subcall function 001D7DCD: GetProcAddress.KERNEL32(00000000), ref: 001D7DF0
                        • Part of subcall function 001D7DCD: GetDiskFreeSpaceW.KERNEL32(00000001,001D6760,?,?,?,?,?,?,?,?,?,?,?,?,001D6760,00000001), ref: 001D7E40
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressDiskErrorFreeH_prologHandleLastModuleProcSpace
                      • String ID: :$:$DATA$\
                      • API String ID: 3991446108-1004618218
                      • Opcode ID: 6e87e82b6a85c0d91c9929e54c20ca0d00c09bc15e19fb5cf8eeb235c06ce9f5
                      • Instruction ID: f6f7f3a9f025f83e3c6720bad491885968e346c8e2c423d54d7163ad60102a99
                      • Opcode Fuzzy Hash: 6e87e82b6a85c0d91c9929e54c20ca0d00c09bc15e19fb5cf8eeb235c06ce9f5
                      • Instruction Fuzzy Hash: FFD1D330900709DECF24EFA4C995AEDB7B2BF24314F10461BE8566B3E2DB716A49CB50
                      Function 001ECB3C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 212libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1941 1ecb3c-1ecb73 call 204970 call 1ed854 1946 1eccbb-1eccfd call 1ecdef call 1d28a2 call 1ec924 call 1d1ab0 1941->1946 1947 1ecb79 1941->1947 1965 1ecd03-1ecd06 1946->1965 1966 1ecdd1-1ecdea call 1d1ab0 1946->1966 1949 1ecb80-1ecbd9 call 1ec61c call 1d2b7a call 1d28d9 * 2 1947->1949 1967 1ecbdb-1ecbdf call 1d2b7a 1949->1967 1968 1ecbe4-1ecbe9 1949->1968 1970 1ecd08-1ecd11 call 1d2a18 1965->1970 1971 1ecd16-1ecd43 call 1d28a2 call 1eca4c call 1d1ab0 1965->1971 1967->1968 1974 1ecbeb-1ecbef call 1d2b7a 1968->1974 1975 1ecbf4-1ecc3d call 1ebf49 call 1d1ab0 * 2 1968->1975 1970->1971 1971->1966 1990 1ecd49-1ecd60 call 1d28a2 call 1eca4c 1971->1990 1974->1975 1991 1ecc3f-1ecc4f call 1ec659 1975->1991 1992 1ecc51-1ecc75 call 1db13b call 1d7033 1975->1992 2001 1ecd65-1ecd76 call 1d1ab0 1990->2001 2000 1ecc87-1eccb5 call 1ed80d call 1ec8e2 1991->2000 1992->2000 2007 1ecc77-1ecc84 memcpy 1992->2007 2000->1946 2000->1949 2001->1966 2009 1ecd78-1ecd81 2001->2009 2007->2000 2012 1ecd83-1ecd86 2009->2012 2013 1ecd90 2009->2013 2014 1ecd88-1ecd8e 2012->2014 2015 1ecd93-1ecd96 2012->2015 2013->2015 2014->2013 2014->2015 2016 1ecdcf 2015->2016 2017 1ecd98-1ecd9e 2015->2017 2016->1966 2017->2016 2018 1ecda0-1ecdbb GetProcAddress 2017->2018 2019 1ecdbd-1ecdc2 2018->2019 2020 1ecdc4-1ecdcd 2018->2020 2019->2020 2022 1ecdeb-1ecded 2019->2022 2020->2016 2020->2018 2022->1966
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressH_prologProcmemcpy
                      • String ID: Codecs\$Formats\$SetCodecs
                      • API String ID: 1477616095-1934353212
                      • Opcode ID: 95b66d8362c9565ca7b0a6907ab8f40bdd1158f552105193732746ebfc80c949
                      • Instruction ID: 42703b3ddeeb300bb7e492594ec1b635ce3bb91910f00e639cc8997caede83c5
                      • Opcode Fuzzy Hash: 95b66d8362c9565ca7b0a6907ab8f40bdd1158f552105193732746ebfc80c949
                      • Instruction Fuzzy Hash: 4D918171C00699EFCF10DFA5CC91AEDFBB0BF24314F14456AE459A3252DB306A8ACB90
                      Function 001EC924 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 107libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2023 1ec924-1ec930 2024 1ec935-1ec939 2023->2024 2025 1ec932 2023->2025 2026 1ec93b-1ec954 call 1d4a08 2024->2026 2027 1ec967-1ec99c call 1ed728 call 1d2a7c call 1d4a33 2024->2027 2025->2024 2032 1ec956-1ec95d call 1d49e9 2026->2032 2033 1ec962 call 1d49e9 2026->2033 2042 1eca3b-1eca3d call 1ed7e8 2027->2042 2043 1ec9a2-1ec9a7 2027->2043 2040 1eca47-1eca49 2032->2040 2033->2027 2049 1eca42-1eca46 2042->2049 2044 1ec9ac-1ec9b9 2043->2044 2045 1ec9a9 2043->2045 2047 1ec9ca-1ec9ce 2044->2047 2048 1ec9bb-1ec9c6 GetProcAddress 2044->2048 2045->2044 2051 1ec9e8-1eca19 GetProcAddress call 1ec0df 2047->2051 2052 1ec9d0-1ec9db GetProcAddress 2047->2052 2048->2047 2050 1ec9c8 2048->2050 2049->2040 2050->2047 2056 1eca1b-1eca1e 2051->2056 2057 1eca34-1eca36 2051->2057 2052->2051 2053 1ec9dd-1ec9e5 2052->2053 2053->2051 2056->2057 2059 1eca20-1eca25 call 1ec2ca 2056->2059 2057->2049 2058 1eca38 2057->2058 2058->2042 2061 1eca2a-1eca30 2059->2061 2061->2057 2062 1eca32 2061->2062 2062->2057
                      APIs
                        • Part of subcall function 001D49E9: FreeLibrary.KERNELBASE(00000000,00000004,001D4A3B,?,001EC99A,00000000,00000000,?,00000000,00000000,?,?,001ECCEC,00000000,00000000,?), ref: 001D49F3
                        • Part of subcall function 001ED728: __EH_prolog.LIBCMT ref: 001ED72D
                        • Part of subcall function 001D4A33: LoadLibraryW.KERNELBASE(00000000,?,001EC99A,00000000,00000000,?,00000000,00000000,?,?,001ECCEC,00000000,00000000,?), ref: 001D4A43
                      • GetProcAddress.KERNEL32(00000004,SetLargePageMode), ref: 001EC9C2
                      • GetProcAddress.KERNEL32(00000004,SetCaseSensitive), ref: 001EC9D7
                      • GetProcAddress.KERNEL32(00000004,CreateObject), ref: 001EC9EF
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressProc$Library$FreeH_prologLoad
                      • String ID: CreateObject$SetCaseSensitive$SetLargePageMode
                      • API String ID: 1090236637-606380122
                      • Opcode ID: 8bf48e7e9d775e9053612ceb9128219f7c89ed4558d4ec958802f2fdcc511a8b
                      • Instruction ID: ac9a006beec39bee9a38f4351cba92e1c6e010aeefe2651575faec929339cbe3
                      • Opcode Fuzzy Hash: 8bf48e7e9d775e9053612ceb9128219f7c89ed4558d4ec958802f2fdcc511a8b
                      • Instruction Fuzzy Hash: 07419030200B85AFDF14DF2ACC91BAD77E5AF99348F048429E8468B292DB75ED11CB90
                      Function 001E9213 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • __EH_prolog.LIBCMT ref: 001E9218
                        • Part of subcall function 001E7DE9: __EH_prolog.LIBCMT ref: 001E7DEE
                        • Part of subcall function 001E80DA: __EH_prolog.LIBCMT ref: 001E80DF
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001E9312
                        • Part of subcall function 001E944E: __EH_prolog.LIBCMT ref: 001E9453
                      Strings
                      • Duplicate archive path:, xrefs: 001E9436
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$ExceptionThrow
                      • String ID: Duplicate archive path:
                      • API String ID: 2366012087-4000988232
                      • Opcode ID: 6dc028e1e21aa966e9e97ee13baafc5315ec0165563954d503d195a9d04894d1
                      • Instruction ID: d1a20429c18ffd154ef2226ce433c28b277e7f6e9ef8cf81edc31b6100b9861d
                      • Opcode Fuzzy Hash: 6dc028e1e21aa966e9e97ee13baafc5315ec0165563954d503d195a9d04894d1
                      • Instruction Fuzzy Hash: 79817C31D00699EFCF15EFA5D981ADDB7B5BF29310F1040AAE516772A2DB30AE04CB61
                      Function 001E9AF9 Relevance: 6.7, APIs: 4, Instructions: 654COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2151 1e9af9-1e9b5c call 204970 2154 1e9b5e-1e9b65 2151->2154 2155 1e9b67-1e9b6d 2151->2155 2156 1e9b70-1e9b75 2154->2156 2155->2156 2157 1e9c0f-1e9c15 2156->2157 2158 1e9b7b-1e9ba5 call 1d5c57 call 1d28d9 2156->2158 2159 1e9c2c-1e9c33 2157->2159 2160 1e9c17-1e9c1d 2157->2160 2173 1e9ba7-1e9bb7 call 1d5cf7 2158->2173 2174 1e9bd2-1e9c09 call 1f8d61 call 1d1ab0 2158->2174 2165 1e9c4b-1e9c5f call 1d1a89 2159->2165 2166 1e9c35-1e9c49 2159->2166 2162 1e9c1f 2160->2162 2163 1e9c22-1e9c29 call 1d1a89 2160->2163 2162->2163 2163->2159 2175 1e9c96 2165->2175 2176 1e9c61-1e9c63 call 1dda91 2165->2176 2166->2165 2183 1e9bbc-1e9bbe 2173->2183 2174->2157 2174->2158 2177 1e9c98-1e9ca6 2175->2177 2185 1e9c68-1e9c6a 2176->2185 2181 1e9cae-1e9d1f call 1ea581 2177->2181 2182 1e9ca8-1e9caa 2177->2182 2193 1e9d4d-1e9d5f 2181->2193 2194 1e9d21-1e9d35 2181->2194 2182->2181 2187 1e9c6c-1e9c7c _CxxThrowException 2183->2187 2188 1e9bc4-1e9bcc 2183->2188 2185->2177 2190 1e9c81-1e9c91 _CxxThrowException 2187->2190 2188->2174 2188->2190 2190->2175 2195 1e9d65-1e9d6c 2193->2195 2196 1ea133-1ea137 2193->2196 2194->2193 2204 1e9d37-1e9d3d 2194->2204 2197 1e9d72-1e9d9e call 1d5c57 call 1d28d9 2195->2197 2198 1ea123-1ea12d 2195->2198 2199 1ea139-1ea13d 2196->2199 2200 1ea143-1ea157 2196->2200 2223 1e9da0-1e9daf 2197->2223 2224 1e9db1-1e9dbc call 1d5cf7 2197->2224 2198->2195 2198->2196 2199->2200 2203 1ea341-1ea3be 2199->2203 2213 1ea15d-1ea163 2200->2213 2214 1ea303-1ea315 2200->2214 2209 1ea3c6-1ea3d9 call 1d1ab0 * 2 2203->2209 2210 1ea3c0-1ea3c2 2203->2210 2207 1e9d3f-1e9d41 2204->2207 2208 1e9d45-1e9d48 2204->2208 2207->2208 2215 1ea328-1ea33c call 1d1ab0 * 2 2208->2215 2231 1ea3da-1ea3e8 2209->2231 2210->2209 2219 1ea16b-1ea16e 2213->2219 2220 1ea165-1ea167 2213->2220 2214->2203 2227 1ea317-1ea31d 2214->2227 2215->2231 2219->2215 2220->2219 2228 1e9dd7-1e9df4 2223->2228 2234 1e9dc1-1e9dc3 2224->2234 2232 1ea31f-1ea321 2227->2232 2233 1ea325 2227->2233 2239 1e9dfa-1e9e88 call 1ea47f call 1eaaf8 call 1ea3eb call 1d2a7c call 1f398d 2228->2239 2240 1ea173-1ea182 call 1d1ab0 2228->2240 2232->2233 2233->2215 2236 1ea2ee-1ea2fe _CxxThrowException 2234->2236 2237 1e9dc9-1e9dd1 2234->2237 2236->2214 2237->2228 2237->2236 2255 1e9e8a-1e9e90 2239->2255 2256 1e9e99-1e9ea0 2239->2256 2245 1ea18a-1ea18d 2240->2245 2246 1ea184-1ea186 2240->2246 2245->2215 2246->2245 2257 1e9ea6-1e9ec6 2255->2257 2258 1e9e92 2255->2258 2256->2257 2259 1ea192-1ea1c8 call 1d1ab0 call 1eab95 call 1ea52b call 1d1ab0 2256->2259 2264 1e9ecc-1e9ecf 2257->2264 2265 1ea1da-1ea210 call 1d1ab0 call 1eab95 call 1ea52b call 1d1ab0 2257->2265 2258->2256 2304 1ea1ca-1ea1cc 2259->2304 2305 1ea1d0-1ea1d5 2259->2305 2266 1e9f40-1e9f47 2264->2266 2267 1e9ed1-1e9edc 2264->2267 2329 1ea218-1ea21b 2265->2329 2330 1ea212-1ea214 2265->2330 2274 1e9f4d-1e9f53 2266->2274 2275 1e9ff3-1ea00a 2266->2275 2270 1ea0ef-1ea122 call 1d1ab0 call 1eab95 call 1ea52b call 1d1ab0 2267->2270 2271 1e9ee2-1e9f0e call 1d5c57 call 1d28d9 call 1d5cf7 2267->2271 2270->2198 2327 1e9f2f-1e9f3b call 1d1ab0 2271->2327 2328 1e9f10-1e9f1b 2271->2328 2274->2275 2282 1e9f59-1e9f6e 2274->2282 2276 1ea00c-1ea010 2275->2276 2277 1ea017 2275->2277 2276->2277 2285 1ea012-1ea015 2276->2285 2286 1ea019-1ea07a call 1ea61b 2277->2286 2283 1e9fbb-1e9fbf 2282->2283 2284 1e9f70-1e9f86 call 1e9ab0 2282->2284 2283->2275 2295 1e9fc1-1e9fc9 2283->2295 2307 1e9f88-1e9f8b 2284->2307 2308 1e9fa7-1e9fb3 2284->2308 2285->2286 2299 1ea07f-1ea084 2286->2299 2302 1e9fcb 2295->2302 2303 1e9fd5-1e9fed 2295->2303 2309 1ea08a-1ea091 2299->2309 2310 1ea266-1ea29c call 1d1ab0 call 1eab95 call 1ea52b call 1d1ab0 2299->2310 2313 1e9fcd-1e9fcf 2302->2313 2314 1e9fd1-1e9fd3 2302->2314 2303->2275 2332 1ea220-1ea256 call 1d1ab0 call 1eab95 call 1ea52b call 1d1ab0 2303->2332 2304->2305 2305->2215 2307->2308 2317 1e9f8d-1e9fa4 2307->2317 2308->2284 2318 1e9fb5-1e9fb8 2308->2318 2319 1ea0b3-1ea0b6 2309->2319 2320 1ea093-1ea0b1 2309->2320 2355 1ea29e-1ea2a0 2310->2355 2356 1ea2a4-1ea2a7 2310->2356 2313->2303 2313->2314 2314->2303 2317->2308 2318->2283 2326 1ea0b9-1ea0e9 2319->2326 2320->2326 2326->2270 2335 1ea2a9-1ea2df call 1d1ab0 call 1eab95 call 1ea52b call 1d1ab0 2326->2335 2327->2270 2328->2327 2334 1e9f1d-1e9f2c 2328->2334 2329->2215 2330->2329 2361 1ea25e-1ea261 2332->2361 2362 1ea258-1ea25a 2332->2362 2334->2327 2364 1ea2e7-1ea2ec 2335->2364 2365 1ea2e1-1ea2e3 2335->2365 2355->2356 2356->2215 2361->2215 2362->2361 2364->2215 2365->2364
                      APIs
                      • __EH_prolog.LIBCMT ref: 001E9AFE
                      • _CxxThrowException.MSVCRT(?,0020E278), ref: 001E9C7C
                      • _CxxThrowException.MSVCRT(?,0020E278), ref: 001EA2FE
                      • _CxxThrowException.MSVCRT(0020A718,0020E278), ref: 001E9C91
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                        • Part of subcall function 001EA52B: __EH_prolog.LIBCMT ref: 001EA530
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ExceptionThrow$H_prolog$free
                      • String ID:
                      • API String ID: 1223536468-0
                      • Opcode ID: 0cfbe06bc9b0a64b047fffed07aebc788d087c468d286efb6ec3907b88bcdeee
                      • Instruction ID: 2e6bab1a133bef71b0f83e10d9e8404762a3b34abf234aacf12aa76783667e0c
                      • Opcode Fuzzy Hash: 0cfbe06bc9b0a64b047fffed07aebc788d087c468d286efb6ec3907b88bcdeee
                      • Instruction Fuzzy Hash: C7621470904698DFCB25DFA9C984ADDBBF1BF58304F24419AE849A7352CB70AE84CF51
                      Function 001EA61B Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 373COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001EA620
                        • Part of subcall function 001EEC4E: __EH_prolog.LIBCMT ref: 001EEC53
                      • GetLastError.KERNEL32(?,002092AC,-00000087,0000000D,00000000,00000000,?), ref: 001EA971
                      Strings
                      • Can not create output directory: , xrefs: 001EA985
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$ErrorLast
                      • String ID: Can not create output directory:
                      • API String ID: 2901101390-3123869724
                      • Opcode ID: 1007d51678c584c076a6ef1fa90f42dbe901e710729693639136157a9ad56594
                      • Instruction ID: 339360b8bc78ccc0e56f6892b200177cd40cad15c78a7a65669c140078beba06
                      • Opcode Fuzzy Hash: 1007d51678c584c076a6ef1fa90f42dbe901e710729693639136157a9ad56594
                      • Instruction Fuzzy Hash: FCE1D170D016C9EFCF24DFA5C590AEDBBB4BF28304F5440AAE445A7252DB30AE46CB52
                      Function 001ECDEF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001ECDF4
                        • Part of subcall function 001D4AB0: __EH_prolog.LIBCMT ref: 001D4AB5
                        • Part of subcall function 001D6150: __EH_prolog.LIBCMT ref: 001D6155
                        • Part of subcall function 001D61A9: __EH_prolog.LIBCMT ref: 001D61AE
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$free
                      • String ID: Codecs$Formats
                      • API String ID: 2654054672-513325466
                      • Opcode ID: 700b737771a6e025603f4bdd63a7f775ccfa27fe46d4c87e2052fbae46cff2c0
                      • Instruction ID: 7186b832c3fe548d5e4d964738ccd76ef8db45f3eb3f01d0ff128346ab30ef70
                      • Opcode Fuzzy Hash: 700b737771a6e025603f4bdd63a7f775ccfa27fe46d4c87e2052fbae46cff2c0
                      • Instruction Fuzzy Hash: BA41C631941389AECF05EBE1DA51BEDB7B6AFB5344F18415AE401372A3CB340A0BD751
                      Function 001D63BE Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D63C3
                        • Part of subcall function 001D6470: FindCloseChangeNotification.KERNELBASE(00000000,?,001D63D3,000000FF,00000009,00000001), ref: 001D647B
                      • CreateFileW.KERNELBASE(?,00000001,00000009,00000000,000000FF,00000009,00000000,00000001,00000009,000000FF,00000009,00000001), ref: 001D6409
                      • CreateFileW.KERNEL32(00000001,00000001,00000001,00000000,000000FF,00000009,00000000,00000000,00000001,00000009,000000FF), ref: 001D644A
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CreateFile$ChangeCloseFindH_prologNotification
                      • String ID:
                      • API String ID: 3273702577-0
                      • Opcode ID: f998651f7ed2ace62159e352a202ecc3ae0ed39bcbedc35b2aabf622f07a60c9
                      • Instruction ID: 82e85a6443343659d4bf829e53c3272a605bbd7c1934d70af5b0bc18ef3e03c6
                      • Opcode Fuzzy Hash: f998651f7ed2ace62159e352a202ecc3ae0ed39bcbedc35b2aabf622f07a60c9
                      • Instruction Fuzzy Hash: 9E118E7280020AEFCF11AFA4DC418EEBB7AFF14354B108A2AF961572A1C7359D65EB50
                      Function 001D5302 Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D5307
                        • Part of subcall function 001D5C7A: __EH_prolog.LIBCMT ref: 001D5C7F
                        • Part of subcall function 001D5C7A: GetFileAttributesW.KERNELBASE(?,00000001,?,00000000,00000001), ref: 001D5C9F
                        • Part of subcall function 001D5C7A: GetFileAttributesW.KERNEL32(00000002,00000000,00000001,?,00000000,00000001), ref: 001D5CCE
                      • DeleteFileW.KERNELBASE(?,?,00000000,?), ref: 001D534B
                      • DeleteFileW.KERNEL32(?,00000000,?,00000000,?), ref: 001D537D
                        • Part of subcall function 001D4CFC: __EH_prolog.LIBCMT ref: 001D4D01
                        • Part of subcall function 001D4CFC: SetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 001D4D27
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: File$AttributesH_prolog$Delete
                      • String ID:
                      • API String ID: 579516761-0
                      • Opcode ID: bfba468eeb620479a79bf7c2a279fcc6fd4234d463de4ab61b26ddf2b353e471
                      • Instruction ID: ce54e4694a7f47eb948641fc7d4ed2633252cd4579d59a694670cd2dd3ccdf08
                      • Opcode Fuzzy Hash: bfba468eeb620479a79bf7c2a279fcc6fd4234d463de4ab61b26ddf2b353e471
                      • Instruction Fuzzy Hash: 23110872A00B01BBCF2466B855426BE7777BF913A4F18011BED12933C3DFA48C569961
                      Function 001D4CFC Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D4D01
                      • SetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 001D4D27
                      • SetFileAttributesW.KERNEL32(?,?,00000000,?,00000000,?), ref: 001D4D5C
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AttributesFile$H_prolog
                      • String ID:
                      • API String ID: 3790360811-0
                      • Opcode ID: a7da1b8f29601d3e8c8180b05092297885a7cb35f1d0879786984e60c3cbc321
                      • Instruction ID: 55fc2b7c531ef788f40b9afe04f3f7857c8cb8c671c3176c5da8c4c3492cce65
                      • Opcode Fuzzy Hash: a7da1b8f29601d3e8c8180b05092297885a7cb35f1d0879786984e60c3cbc321
                      • Instruction Fuzzy Hash: 59012832D00756ABCF05ABE4A8816FEB776EF60350F14442BEC1263392DB754C15EA50
                      Function 001D5C7A Relevance: 4.5, APIs: 3, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D5C7F
                      • GetFileAttributesW.KERNELBASE(?,00000001,?,00000000,00000001), ref: 001D5C9F
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      • GetFileAttributesW.KERNEL32(00000002,00000000,00000001,?,00000000,00000001), ref: 001D5CCE
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AttributesFile$H_prologfree
                      • String ID:
                      • API String ID: 86656847-0
                      • Opcode ID: f861cf270afe0679e1a986aa5d1d08a7a6af82b4420831dab6caf69dea9327c8
                      • Instruction ID: de09f1ef158f5cd36c42043d9792c79ddb741a3f1a05cd32a887cb5808f7af5f
                      • Opcode Fuzzy Hash: f861cf270afe0679e1a986aa5d1d08a7a6af82b4420831dab6caf69dea9327c8
                      • Instruction Fuzzy Hash: 2C012D3291075467CB1177BCA9826BEBB7AAF54370F10022BF922933D2DB704D44A690
                      Function 001E00F3 Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: b1955514d84f19951a4e5edfdcd0edc2fcdd75907aac4e8a2fcc85bbb828980f
                      • Instruction ID: 2d0fd6d2d3477d181e28dcfe95294113ec9f989e09aeed38ecdfc56ca809b5e1
                      • Opcode Fuzzy Hash: b1955514d84f19951a4e5edfdcd0edc2fcdd75907aac4e8a2fcc85bbb828980f
                      • Instruction Fuzzy Hash: 925192B1544BC29FD726CF71C484BEABBE1AF89300F14885DE59A4B202D7B0ADC8DB50
                      Function 001D5080 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D5085
                        • Part of subcall function 001D5C7A: __EH_prolog.LIBCMT ref: 001D5C7F
                        • Part of subcall function 001D5C7A: GetFileAttributesW.KERNELBASE(?,00000001,?,00000000,00000001), ref: 001D5C9F
                        • Part of subcall function 001D5C7A: GetFileAttributesW.KERNEL32(00000002,00000000,00000001,?,00000000,00000001), ref: 001D5CCE
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AttributesFileH_prolog
                      • String ID:
                      • API String ID: 3244726999-0
                      • Opcode ID: 88e1f0b38497b03662845eb8c685aafd65e65a1297fee310d090b39fd9fb6252
                      • Instruction ID: dd5d3f0af19c3b49541c5b47fc233d926a3eb12721e1ab9dd952a56a3765824b
                      • Opcode Fuzzy Hash: 88e1f0b38497b03662845eb8c685aafd65e65a1297fee310d090b39fd9fb6252
                      • Instruction Fuzzy Hash: 6E319F31900A169BCF18EB98C9926FEB373BF25304F10056BE95277391DB215E46CB91
                      Function 001F2D3D Relevance: 3.1, APIs: 2, Instructions: 106COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001F2D42
                      • GetLastError.KERNEL32(?,?,00000000), ref: 001F2DE1
                        • Part of subcall function 001D1A89: malloc.MSVCRT ref: 001D1A8F
                        • Part of subcall function 001D1A89: _CxxThrowException.MSVCRT(?,0020E050), ref: 001D1AA9
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ErrorExceptionH_prologLastThrowmalloc
                      • String ID:
                      • API String ID: 3967182680-0
                      • Opcode ID: 0fdcae4cb5ec2c413075d0d05c0461dffd330ca56684c94791b23951b5682470
                      • Instruction ID: aae9ee6cb02cc952697e1688654513b69bd1f5a3bc2351f5e4bb73ad98be7752
                      • Opcode Fuzzy Hash: 0fdcae4cb5ec2c413075d0d05c0461dffd330ca56684c94791b23951b5682470
                      • Instruction Fuzzy Hash: AE41BF71A00349AFCB14DFA8C8846BEBBB4BF54310F24456EE55AE7292CB749E05CB61
                      Function 001D64F7 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,?,000000FF,?,000000FF,?,001D6587,?,?,00000000,?,001D65C2,?,?), ref: 001D6535
                      • GetLastError.KERNEL32(?,001D6587,?,?,00000000,?,001D65C2,?,?,?,?,00000000), ref: 001D6542
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ErrorFileLastPointer
                      • String ID:
                      • API String ID: 2976181284-0
                      • Opcode ID: 7cdd37e84c16e58aa9668f27b5895f535e5751ec9a3119e5e7c9a3b937a23a75
                      • Instruction ID: 0eda2ea5997e506cc85f388c4f2c290b31d57ae93ca6a16e7547640d06406f8a
                      • Opcode Fuzzy Hash: 7cdd37e84c16e58aa9668f27b5895f535e5751ec9a3119e5e7c9a3b937a23a75
                      • Instruction Fuzzy Hash: 36118471601208EFCF10CF68EC4499A7BE5AF05354B14C16AF819C7356E332DDA1DB60
                      Function 001F3886 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001F388B
                        • Part of subcall function 001D5CF7: __EH_prolog.LIBCMT ref: 001D5CFC
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      • _CxxThrowException.MSVCRT(?,0020E118), ref: 001F38EA
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$ExceptionThrowfree
                      • String ID:
                      • API String ID: 1371406966-0
                      • Opcode ID: 5306c4a5ed68dedbba5aef24acbfec6c424c451d1c25d5dc782a613cececc12f
                      • Instruction ID: 2bfdeb6c39cd6d6866a1024fe9260c01a7ece9ff39ba0ad8b3d909abc45d7507
                      • Opcode Fuzzy Hash: 5306c4a5ed68dedbba5aef24acbfec6c424c451d1c25d5dc782a613cececc12f
                      • Instruction Fuzzy Hash: EF012672500748AACB25EF64C441ADEBBF5FF95310F00851EE992532A2CB709548DF60
                      Function 00201405 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs
                      • String ID:
                      • API String ID: 1795875747-0
                      • Opcode ID: 3c63f47b47beede16c38b1b20532b4c0bb3854868bbcb0d06e069700f68b734d
                      • Instruction ID: 0501e1edc080558f3c078d46b4f5b3bc6d63ccdcbe0d2b4232910b07ca180db4
                      • Opcode Fuzzy Hash: 3c63f47b47beede16c38b1b20532b4c0bb3854868bbcb0d06e069700f68b734d
                      • Instruction Fuzzy Hash: D2D0C27B2462125ECB141B08FC45C4077A9DB89372335012BE540531F14B531C249EA0
                      Function 001D94B2 Relevance: 2.7, APIs: 2, Instructions: 223COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ErrorLastmemcpy
                      • String ID:
                      • API String ID: 2523627151-0
                      • Opcode ID: 90eed2a3aba239ea59b5fbeea567cd0a4cbdc026528bdf254b8af78a5b101d29
                      • Instruction ID: cee84ba21203c5797692293174c861de8cebce654b3fa9152fa8f263f73ba050
                      • Opcode Fuzzy Hash: 90eed2a3aba239ea59b5fbeea567cd0a4cbdc026528bdf254b8af78a5b101d29
                      • Instruction Fuzzy Hash: B8814671A10B019FDB65CE25D980AAAB7F2BF48314F148A2FE88687B40D734F845CF50
                      Function 001D1A89 Relevance: 2.5, APIs: 2, Instructions: 15COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ExceptionThrowmalloc
                      • String ID:
                      • API String ID: 2436765578-0
                      • Opcode ID: 937407719be24f77719c18b97fe0d2e8a450a06e01daba3b71a115953cb02d11
                      • Instruction ID: 762f9ce45ba50673a5551b68bc3ac051f3ee581215dc69fff1b07fa3f0abbaf6
                      • Opcode Fuzzy Hash: 937407719be24f77719c18b97fe0d2e8a450a06e01daba3b71a115953cb02d11
                      • Instruction Fuzzy Hash: 05D0A93220438C7ACF006FE0E80888F3F2C8901760B009013F92C8E2A7E671C7A08B50
                      Function 001E81B1 Relevance: 2.1, APIs: 1, Instructions: 610COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001E81B6
                        • Part of subcall function 001D5CF7: __EH_prolog.LIBCMT ref: 001D5CFC
                        • Part of subcall function 001E8C48: __EH_prolog.LIBCMT ref: 001E8C4D
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$free
                      • String ID:
                      • API String ID: 2654054672-0
                      • Opcode ID: 20b0c37445f68093398e1a52883f393d960f292fd99813df88524c6ca939abd9
                      • Instruction ID: 0bb9097c83d571133a3194117ae90f475e308a47ba20f9526f797db5a9dc06a3
                      • Opcode Fuzzy Hash: 20b0c37445f68093398e1a52883f393d960f292fd99813df88524c6ca939abd9
                      • Instruction Fuzzy Hash: 38427E30D00689EFCF25EFA5C981AEDBBB1FF28304F14405AE91A67292DB319E45DB51
                      Function 001DDA91 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001DDA96
                        • Part of subcall function 001DDC05: __EH_prolog.LIBCMT ref: 001DDC0A
                        • Part of subcall function 001D1A89: malloc.MSVCRT ref: 001D1A8F
                        • Part of subcall function 001D1A89: _CxxThrowException.MSVCRT(?,0020E050), ref: 001D1AA9
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$ExceptionThrowmalloc
                      • String ID:
                      • API String ID: 3744649731-0
                      • Opcode ID: ef7279445b43b786cd523a8e917a9a7244bf02ddd1748764fc7851e094146c2e
                      • Instruction ID: 76cdebd68ee0e100e9bd042387c071f5661d3dfa9c5a30d49f78cfbadfcc347c
                      • Opcode Fuzzy Hash: ef7279445b43b786cd523a8e917a9a7244bf02ddd1748764fc7851e094146c2e
                      • Instruction Fuzzy Hash: 8D41F5B1815744CFD321DF69C1846CAFBE0BF19304F5488AFD49A97752D7B0AA48CB61
                      Function 00200B34 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00200B39
                        • Part of subcall function 00200AC4: __EH_prolog.LIBCMT ref: 00200AC9
                        • Part of subcall function 00200C74: __EH_prolog.LIBCMT ref: 00200C79
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 04977628df5efa9361c44546d553c7e9d449095442906d9329d310f53e0fc509
                      • Instruction ID: ec1addeae9bcf5b4c41dd304c0e8c9bf860bbff85d418f4bc751b990bdbed982
                      • Opcode Fuzzy Hash: 04977628df5efa9361c44546d553c7e9d449095442906d9329d310f53e0fc509
                      • Instruction Fuzzy Hash: 5441E771445784DEC312DF69C094ADAFFE4BF25304F49C8AEC4AA5B762D770A608CB22
                      Function 001E80DA Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: e0880551945626d1325626c626404cf1df3dff329b7b010507a221a0f469341e
                      • Instruction ID: 78a0c36ad7d7e442a732deb4c673d1229cdc1ab61dd44c9fc94a976552b36be8
                      • Opcode Fuzzy Hash: e0880551945626d1325626c626404cf1df3dff329b7b010507a221a0f469341e
                      • Instruction Fuzzy Hash: 5F311CB1E00A49EFCB15EF96C9918FEFBB5FF94364B208159E41A67251DB305D02CBA0
                      Function 001EDA12 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 5416db7eef0000925d5f4a28038fd33e3ca429250eeb578066edd544a9ca8deb
                      • Instruction ID: 1d1bfaea97ff5e81375541a8da23359a89d4733056ebffedd45e455bb703513b
                      • Opcode Fuzzy Hash: 5416db7eef0000925d5f4a28038fd33e3ca429250eeb578066edd544a9ca8deb
                      • Instruction Fuzzy Hash: 3911B271A047819FC714DFA9D45062EBBE5EBC9350F20853EE499D7381DB719E40C750
                      Function 001ED884 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001ED889
                        • Part of subcall function 001ED959: __EH_prolog.LIBCMT ref: 001ED95E
                        • Part of subcall function 001EDA12: __EH_prolog.LIBCMT ref: 001EDA17
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: a25efb42620c880df0d08b4f42350dd6c87564aabfce977ec0bfbb385fac7b26
                      • Instruction ID: 25a74266712c6dd2dd3f0a648e2d6b9a7097962c673b81d41d315b0060816c99
                      • Opcode Fuzzy Hash: a25efb42620c880df0d08b4f42350dd6c87564aabfce977ec0bfbb385fac7b26
                      • Instruction Fuzzy Hash: 9C11F9B56006449FCB55CF69C5C0A96BBF4BF19314B0485AEE98ADB706D770EA04CFA0
                      Function 001E7DE9 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001E7DEE
                        • Part of subcall function 001DD6A9: __EH_prolog.LIBCMT ref: 001DD6AE
                        • Part of subcall function 001DD6A9: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,0020D620,76E38E30), ref: 001DD6C0
                        • Part of subcall function 001DD6A9: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,0020D620,76E38E30), ref: 001DD6D7
                        • Part of subcall function 001DD6A9: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 001DD6F9
                        • Part of subcall function 001DD6A9: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,0020D620,76E38E30), ref: 001DD70E
                        • Part of subcall function 001DD6A9: GetLastError.KERNEL32(?,00000000,?,?,00000000,0020D620,76E38E30), ref: 001DD718
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                      • String ID:
                      • API String ID: 1532160333-0
                      • Opcode ID: 7db2a30a1a77ca60deb3887e7c12e0122074b7d5516608fbf3cf5a9170a7ecd8
                      • Instruction ID: a8fbed67cc6ef6ad1f852702a784f60209a79d8569bb2c088201234bf55f22b6
                      • Opcode Fuzzy Hash: 7db2a30a1a77ca60deb3887e7c12e0122074b7d5516608fbf3cf5a9170a7ecd8
                      • Instruction Fuzzy Hash: 382113B1805B948FC321DF6B85C068AFBF4BB19604B948A6E919A83B12C774A648CF55
                      Function 001E9618 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001E961D
                        • Part of subcall function 001D5CF7: __EH_prolog.LIBCMT ref: 001D5CFC
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 505673080fc3b875e3b07710fd316b45fc4d70a4ec31b7048e96f7f0d39b3014
                      • Instruction ID: 01bffa5df805557584993ce91c34c368b5d4d090817e74b67718e895ee083e78
                      • Opcode Fuzzy Hash: 505673080fc3b875e3b07710fd316b45fc4d70a4ec31b7048e96f7f0d39b3014
                      • Instruction Fuzzy Hash: D301D8719106549ACF14F7D4C502BEDBBB5AF64358F04006BE41273392CF705945CA50
                      Function 001EF6BB Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 3e51a35d5c3398bb5b40693f02de1cbf1f8966b0c77ac33d884a806aedd3e10a
                      • Instruction ID: 2ff440424f5ee5a6fd1bcca36a7bb1c53405ab9b770a0a07d5ef1e694358a6ce
                      • Opcode Fuzzy Hash: 3e51a35d5c3398bb5b40693f02de1cbf1f8966b0c77ac33d884a806aedd3e10a
                      • Instruction Fuzzy Hash: 1BF06D7AA10205AFC704DF94C844E9E73B9FF98318B10C569F4159B242C771E912CF60
                      Function 001D6150 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D6155
                        • Part of subcall function 001D5CF7: __EH_prolog.LIBCMT ref: 001D5CFC
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: e5ee81f0fe280a1411726fed2141d31e491a93d3318801dff96ee78bfc06eab1
                      • Instruction ID: 0a4d37edb54f5fa4189d67f388b248973419db1dc920e991804faa0cc13ca479
                      • Opcode Fuzzy Hash: e5ee81f0fe280a1411726fed2141d31e491a93d3318801dff96ee78bfc06eab1
                      • Instruction Fuzzy Hash: 4DF0A772D516189ACB04EB94DA41BDDB3B5EF25344F10402BE812637D2CB756E09CE10
                      Function 001ED80D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001ED812
                        • Part of subcall function 001D1A89: malloc.MSVCRT ref: 001D1A8F
                        • Part of subcall function 001D1A89: _CxxThrowException.MSVCRT(?,0020E050), ref: 001D1AA9
                        • Part of subcall function 001ED884: __EH_prolog.LIBCMT ref: 001ED889
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$ExceptionThrowmalloc
                      • String ID:
                      • API String ID: 3744649731-0
                      • Opcode ID: cb79e081a172c4cb1a3246b753b33e95380b6aac3e37c29229f59cce1435faee
                      • Instruction ID: 17fe4545e8c5c670262e66b59a49e82590d731ef4b89994e41d0057e5adac7e1
                      • Opcode Fuzzy Hash: cb79e081a172c4cb1a3246b753b33e95380b6aac3e37c29229f59cce1435faee
                      • Instruction Fuzzy Hash: 9DE01271A10555AFCB0CFB68A812AAD76A5AB54310F10463EA016E32D1DF745E419654
                      Function 001D69B9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                      Download Yara Rule
                      APIs
                      • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 001D69DC
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: FileWrite
                      • String ID:
                      • API String ID: 3934441357-0
                      • Opcode ID: c59376311ba4ffd7f01b7a19849ae4cf5cd7d6ce6edad7842984b0ac21f77abd
                      • Instruction ID: 74ea20cc559b36e1f0bd6952774b19e4142778a4eaeeec30e515bb1c45a9f8a8
                      • Opcode Fuzzy Hash: c59376311ba4ffd7f01b7a19849ae4cf5cd7d6ce6edad7842984b0ac21f77abd
                      • Instruction Fuzzy Hash: 6FE0C275600208EBCB01CFA5D815B8E7BBABB58358F20C069F9199A2A4D735AA54DF50
                      Function 001D68AD Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNELBASE(000000FF,?,?,00000000,00000000,000000FF,?,001D65EF,00000000,00004000,00000000,000000FF,?,?,?), ref: 001D68C3
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: 5d4798fe1623ea10fb71521b8ec45aeb5e0c6e61e11e047dd2a2dcb63f4efbe2
                      • Instruction ID: 1f5f24ab063132980782363078333a56ad2e8bdfa73579f1d10794da15b45eaa
                      • Opcode Fuzzy Hash: 5d4798fe1623ea10fb71521b8ec45aeb5e0c6e61e11e047dd2a2dcb63f4efbe2
                      • Instruction Fuzzy Hash: F1E0EC75200208FBCB01CF90CC05FCE7BBAAB49754F208058E905961A0C375AA54EB54
                      Function 001DD747 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                      Download Yara Rule
                      APIs
                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,001DD6D0,?,00000000,?,?,00000000,0020D620,76E38E30), ref: 001DD755
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ChangeCloseFindNotification
                      • String ID:
                      • API String ID: 2591292051-0
                      • Opcode ID: f93e4d47a16f1301e654161dd692629ac1634e5bcc59bbf1163dfac42908320e
                      • Instruction ID: ea7ee1e3bb4b7f6c81b00993514df220ae5ceb5e0553dd699ce945c853a4f964
                      • Opcode Fuzzy Hash: f93e4d47a16f1301e654161dd692629ac1634e5bcc59bbf1163dfac42908320e
                      • Instruction Fuzzy Hash: 56D0123161521247DF705F2CB8487D233DD6F10369B15049AF894CB251E764DCC2D654
                      Function 001D6470 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FindCloseChangeNotification.KERNELBASE(00000000,?,001D63D3,000000FF,00000009,00000001), ref: 001D647B
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ChangeCloseFindNotification
                      • String ID:
                      • API String ID: 2591292051-0
                      • Opcode ID: 6ea2254124613dabdcbdf0fcc4ebda3636b15f38330db86bdf0109587fb3faa6
                      • Instruction ID: 6dc436001d47b87bb2dcef37ba880a4a7870472821bc2207e8ec4e5299f1f74e
                      • Opcode Fuzzy Hash: 6ea2254124613dabdcbdf0fcc4ebda3636b15f38330db86bdf0109587fb3faa6
                      • Instruction Fuzzy Hash: 2ED0123110462246CA742E3C784C5C237DD5A12330321074BF4B5C32E2D3658CC38650
                      Function 001D49E9 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNELBASE(00000000,00000004,001D4A3B,?,001EC99A,00000000,00000000,?,00000000,00000000,?,?,001ECCEC,00000000,00000000,?), ref: 001D49F3
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: 0d2851ffe8323304934ef39603a282d08a5677949b0e87fac762db1dfe759241
                      • Instruction ID: d063fc04fdf36a7c3bc73c19d99ad266fe68be4d7990458fc22668801cbfec96
                      • Opcode Fuzzy Hash: 0d2851ffe8323304934ef39603a282d08a5677949b0e87fac762db1dfe759241
                      • Instruction Fuzzy Hash: DED0123125427147DF605E2DB8087D323D86F01721B01445AE481D3209D772DCC297A4
                      Function 001D58A4 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                      Download Yara Rule
                      APIs
                      • FindClose.KERNELBASE(00000000,?,001D58DC), ref: 001D58AF
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CloseFind
                      • String ID:
                      • API String ID: 1863332320-0
                      • Opcode ID: 33f56ee1c212b07719b6e5ec82a8c558af903025fdac6a45390e339c9153cfe9
                      • Instruction ID: 5fb529ebfeb791b1acc2b3c88e9580483af4bb5a291ce519941a946c78517a5c
                      • Opcode Fuzzy Hash: 33f56ee1c212b07719b6e5ec82a8c558af903025fdac6a45390e339c9153cfe9
                      • Instruction Fuzzy Hash: 85D0123110566256DF641E3D7888AD573E95E02370325079AF0B5C32E1D370DCC36650
                      Function 001D4A33 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001D49E9: FreeLibrary.KERNELBASE(00000000,00000004,001D4A3B,?,001EC99A,00000000,00000000,?,00000000,00000000,?,?,001ECCEC,00000000,00000000,?), ref: 001D49F3
                      • LoadLibraryW.KERNELBASE(00000000,?,001EC99A,00000000,00000000,?,00000000,00000000,?,?,001ECCEC,00000000,00000000,?), ref: 001D4A43
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: Library$FreeLoad
                      • String ID:
                      • API String ID: 534179979-0
                      • Opcode ID: b24040faf333fc4523f5ff3803b62728dbe6e6936caaad2ecc4c16c5e3db8c9f
                      • Instruction ID: f24f9044760ad97c98c3b0f7fbd20071ea4a761dc8ee39549ee585935cb44529
                      • Opcode Fuzzy Hash: b24040faf333fc4523f5ff3803b62728dbe6e6936caaad2ecc4c16c5e3db8c9f
                      • Instruction Fuzzy Hash: 2EC0127100531347C7245F35A9155DA77D95F29344705443BB582D3261CB31C8959B54
                      Function 001D698C Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                      Download Yara Rule
                      APIs
                      • SetFileTime.KERNELBASE(?,?,?,?,001E005D,00000000,00000000,00000000), ref: 001D699A
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: FileTime
                      • String ID:
                      • API String ID: 1425588814-0
                      • Opcode ID: 398bfad81b0b2e3b9b6da2d45c0368a83207fb456ae6979b037cafcedc29c0ad
                      • Instruction ID: bb7f60477e200ebfee8ca5851e886d593fb05ccb6001c4523b8db876892ecc70
                      • Opcode Fuzzy Hash: 398bfad81b0b2e3b9b6da2d45c0368a83207fb456ae6979b037cafcedc29c0ad
                      • Instruction Fuzzy Hash: 61C04C36158206FFCF020F70DC08D5ABBA2AB95311F10C918B26AC4471D7328064EB02
                      Function 001D6A38 Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                      Download Yara Rule
                      APIs
                      • SetEndOfFile.KERNELBASE(?,001D6A7D,?,?,?), ref: 001D6A3A
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: File
                      • String ID:
                      • API String ID: 749574446-0
                      • Opcode ID: 483dd11da86ac165c057886cd24647b0e209ad0081dbc1a38516994a737f4617
                      • Instruction ID: 3246ef49bd3cebb323c39b0915be58969f0938d9b0dc4e8138b560c9badee5b8
                      • Opcode Fuzzy Hash: 483dd11da86ac165c057886cd24647b0e209ad0081dbc1a38516994a737f4617
                      • Instruction Fuzzy Hash: 5EA001B02A511A8A8E111B34EC09A243AA2AA5260672026A4A003CA4B6DA224458EA01
                      Function 001E9A5C Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID:
                      • API String ID: 3510742995-0
                      • Opcode ID: ecf2f624f306b12498244a9c43a07bc4deacf48ff99f8ec47e90e2ec5ac0ef39
                      • Instruction ID: 33e38362fd1c04a0e1df440fd18d38f21009b3f05df4ac286e5c61366371a0a3
                      • Opcode Fuzzy Hash: ecf2f624f306b12498244a9c43a07bc4deacf48ff99f8ec47e90e2ec5ac0ef39
                      • Instruction Fuzzy Hash: 5BF08272605641ABE7309E5AE88182AB3ECEF84350324863FF8A6C3751E761DC518B50

                      Non-executed Functions

                      Function 001D66A9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157COMMON
                      Download Yara Rule
                      APIs
                      • DeviceIoControl.KERNEL32(00000000,00074004,00000000,00000000,?,00000020,?,00000000), ref: 001D66F3
                      • DeviceIoControl.KERNEL32(000000FF,000700A0,00000000,00000000,?,00000028,?,00000000), ref: 001D6796
                      • DeviceIoControl.KERNEL32(000000FF,00070000,00000000,00000000,00000003,00000018,?,00000000), ref: 001D67C6
                      • DeviceIoControl.KERNEL32(000000FF,0002404C,00000000,00000000,00000003,00000018,?,00000000), ref: 001D67E8
                        • Part of subcall function 001D7DCD: GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,756EF5D0,000000FF,00000000,?,?,?,?,?,?,?,?,?,001D6760,00000001), ref: 001D7DE9
                        • Part of subcall function 001D7DCD: GetProcAddress.KERNEL32(00000000), ref: 001D7DF0
                        • Part of subcall function 001D7DCD: GetDiskFreeSpaceW.KERNEL32(00000001,001D6760,?,?,?,?,?,?,?,?,?,?,?,?,001D6760,00000001), ref: 001D7E40
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ControlDevice$AddressDiskFreeHandleModuleProcSpace
                      • String ID: :
                      • API String ID: 4250411929-336475711
                      • Opcode ID: e3edfd46f6224c70f330ca2ee2462cb36aa46a590cb07541511e5926371994e9
                      • Instruction ID: c26013655d3af9cf37c9ea61af8565c618066a2a43ef661e0dbb25b8365b1754
                      • Opcode Fuzzy Hash: e3edfd46f6224c70f330ca2ee2462cb36aa46a590cb07541511e5926371994e9
                      • Instruction Fuzzy Hash: 65518EB1940348AEDB21DBA4C840EEBBBFCAF18344B04C55AE199A7355D335AD84DB61
                      Function 001D62DF Relevance: 4.6, APIs: 3, Instructions: 86COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D62E4
                      • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,?,00000000), ref: 001D6301
                      • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,00000000), ref: 001D632F
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: DriveLogicalStrings$H_prologfree
                      • String ID:
                      • API String ID: 396970233-0
                      • Opcode ID: a8706dd837f8c0737d0e46967f1031515fa944d1ae137618c4f1d39c30e09346
                      • Instruction ID: fe79c4d76565ed33c8dfec43976ef6b85e6f6180a5e1cd6a0bf3cd26cb938c0f
                      • Opcode Fuzzy Hash: a8706dd837f8c0737d0e46967f1031515fa944d1ae137618c4f1d39c30e09346
                      • Instruction Fuzzy Hash: 6F219F72E01259ABDB10EFE59981BEEF7B8FF55310F20412BE116B3382DB7499448B60
                      Function 001D861A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001D8607: GetCurrentProcess.KERNEL32(?,?,001D8628), ref: 001D860C
                        • Part of subcall function 001D8607: GetProcessAffinityMask.KERNEL32(00000000), ref: 001D8613
                      • GetSystemInfo.KERNEL32(?), ref: 001D863E
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: Process$AffinityCurrentInfoMaskSystem
                      • String ID:
                      • API String ID: 3251479945-0
                      • Opcode ID: 466f975c4c3416402451408bb6256c0844327d852184e3bfae320dd25d395c2a
                      • Instruction ID: 66768912135e221e81826dde1792867b2626eb1ebd8fc606d907f90ce4b70aa6
                      • Opcode Fuzzy Hash: 466f975c4c3416402451408bb6256c0844327d852184e3bfae320dd25d395c2a
                      • Instruction Fuzzy Hash: 5DD05E74A0020D9BCF04FBB5E8969AD77B8AE44399F484059E802E2291EF60E946CB90
                      Function 001D8774 Relevance: 1.5, APIs: 1, Instructions: 3timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32(00000000,0020180B,00000000,0020D620,76E38E30), ref: 001D8775
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: Time$FileSystem
                      • String ID:
                      • API String ID: 2086374402-0
                      • Opcode ID: 4a87dabbd2f2d8cf45a3f44e07a02da47a2eb391a9f347129a4555a151128c1f
                      • Instruction ID: 71ba23951589a5eafeb7509df2b9836ef6e2d790861fc00b9fc48130842e703c
                      • Opcode Fuzzy Hash: 4a87dabbd2f2d8cf45a3f44e07a02da47a2eb391a9f347129a4555a151128c1f
                      • Instruction Fuzzy Hash:
                      Function 002017D5 Relevance: 59.7, APIs: 17, Strings: 17, Instructions: 209libraryloadertimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,?,0020D62C,?,?,?,?,?,?,?,?,?,?,?,00200815), ref: 002017EB
                      • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00200815,00000000,?,?), ref: 002017F2
                        • Part of subcall function 001D8774: GetSystemTimeAsFileTime.KERNEL32(00000000,0020180B,00000000,0020D620,76E38E30), ref: 001D8775
                      • memset.MSVCRT ref: 00201814
                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,0020D620,76E38E30,?,?,?,?,?,?,?,?,?,?,?,00200815), ref: 0020182D
                      • GetProcAddress.KERNEL32(00000000,K32GetProcessMemoryInfo), ref: 00201842
                      • LoadLibraryW.KERNEL32(Psapi.dll,?,?,?,?,?,?,?,?,?,?,?,00200815,00000000,?,?), ref: 0020184F
                      • GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo), ref: 0020185F
                      • GetCurrentProcess.KERNEL32(?,00000028,?,?,?,?,?,?,?,?,?,?,?,00200815,00000000,?), ref: 0020186D
                      • GetProcAddress.KERNEL32(?,QueryProcessCycleTime), ref: 00201881
                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00200815,00000000,?,?), ref: 0020188D
                      • fputs.MSVCRT ref: 00201910
                      • __aulldiv.LIBCMT ref: 00201925
                      • fputs.MSVCRT ref: 00201942
                      • fputs.MSVCRT ref: 0020196E
                      • __aulldiv.LIBCMT ref: 0020197E
                      • __aulldiv.LIBCMT ref: 00201996
                      • fputs.MSVCRT ref: 002019B3
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: Processfputs$AddressCurrentProc__aulldiv$Time$FileHandleLibraryLoadModuleSystemTimesmemset
                      • String ID: Cnt:$ Freq (cnt/ptime):$ Fv$ MCycles$ MHz$@T!$GetProcessMemoryInfo$Global $K32GetProcessMemoryInfo$Kernel $Physical$Process$Psapi.dll$QueryProcessCycleTime$User $Virtual $kernel32.dll
                      • API String ID: 4173168154-201423535
                      • Opcode ID: 1310fc3cad090e907708a3083963e5863cdd3a0cc6ba8a982c5a25e0ed2e9862
                      • Instruction ID: 66efec0ee6ef6879cf60b75a7390cdd86c68bc3d7f7ba1482478c814a65c4fbd
                      • Opcode Fuzzy Hash: 1310fc3cad090e907708a3083963e5863cdd3a0cc6ba8a982c5a25e0ed2e9862
                      • Instruction Fuzzy Hash: C5614E71E11319AFDF14AFE4EC89DAEBBB9EF88710F10402AF501A31E2DA715960CB50
                      Function 002014F8 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 179COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 002014FD
                      • fputs.MSVCRT ref: 00201567
                        • Part of subcall function 001D1F11: fputs.MSVCRT ref: 001D1F2B
                      • fputs.MSVCRT ref: 00201538
                        • Part of subcall function 0020172A: __EH_prolog.LIBCMT ref: 0020172F
                        • Part of subcall function 0020172A: fputs.MSVCRT ref: 00201758
                        • Part of subcall function 0020172A: fputs.MSVCRT ref: 0020179C
                      • fputs.MSVCRT ref: 002015EA
                      • fputs.MSVCRT ref: 00201609
                      • fputs.MSVCRT ref: 00201632
                      • fputs.MSVCRT ref: 00201645
                      • fputc.MSVCRT ref: 00201652
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prologfputc
                      • String ID: Error:$ Fv$ file$8T!$@Fv$Scan WARNINGS for files and folders:$Scan WARNINGS: $WARNING: Cannot open $WARNINGS for files:
                      • API String ID: 3294964263-1505090904
                      • Opcode ID: a053de0fcafe78e5d3f533a395d76e99e596ea56485e9d146d3c29dd70f8422e
                      • Instruction ID: dcbd46848f2fcfcec0d149551e2ec3adbee3515b6b6dcc890716d57e00f7c7ba
                      • Opcode Fuzzy Hash: a053de0fcafe78e5d3f533a395d76e99e596ea56485e9d146d3c29dd70f8422e
                      • Instruction Fuzzy Hash: DE519331A24306ABCF19EFA4D882AADB7B5AF54301F24016FE402672D3DF715D60DB61
                      Function 001FDAB9 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FDABE
                      • fputs.MSVCRT ref: 001FDAF4
                        • Part of subcall function 001FDDF7: __EH_prolog.LIBCMT ref: 001FDDFC
                        • Part of subcall function 001FDDF7: fputs.MSVCRT ref: 001FDE11
                        • Part of subcall function 001FDDF7: fputs.MSVCRT ref: 001FDE1A
                      • fputs.MSVCRT ref: 001FDB24
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                      • SysFreeString.OLEAUT32(00000000), ref: 001FDC5D
                      • fputs.MSVCRT ref: 001FDC80
                      • SysFreeString.OLEAUT32(00000000), ref: 001FDD1D
                      • SysFreeString.OLEAUT32(00000000), ref: 001FDD67
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$FreeString$H_prolog$fputc
                      • String ID: --$----$Path$Type$Warning: The archive is open with offset
                      • API String ID: 2047134881-3797937567
                      • Opcode ID: 1291dd5f76a9d9f95cc7027164d41ef4b0cee866b4e734d2017ca6231e1ef56b
                      • Instruction ID: 1f0eeccebf6d4f5ce9f94b9d51d384b445e3a960e88ae5603aad388e47fa0450
                      • Opcode Fuzzy Hash: 1291dd5f76a9d9f95cc7027164d41ef4b0cee866b4e734d2017ca6231e1ef56b
                      • Instruction Fuzzy Hash: 57919B71A00209EFCB14DFA4ED95EBEB7B6FF58310F204129E616A7291DB70AD05CB60
                      Function 001DC9D2 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 166COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001DC9D7
                      • OpenFileMappingW.KERNEL32(00000004,00000000,?,?,?,00000000,?), ref: 001DCA9B
                      • GetLastError.KERNEL32(?,00000000,?), ref: 001DCAA8
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ErrorFileH_prologLastMappingOpen
                      • String ID: Can not open mapping$Map data error$MapViewOfFile error$Unsupported Map data$Unsupported Map data size
                      • API String ID: 2221086200-220075109
                      • Opcode ID: dc60142d6d8b46d4d0b02b1c7dfd6c0c78d835a43e54ca47222558b13892ae6b
                      • Instruction ID: 99b8c151376409ee1ec830f349e3b970bc6506ab63b0af6ad39a8617bc3b7a85
                      • Opcode Fuzzy Hash: dc60142d6d8b46d4d0b02b1c7dfd6c0c78d835a43e54ca47222558b13892ae6b
                      • Instruction Fuzzy Hash: 1151907180025AEECF05EFA4C586AEDB7B5BF24354F11485BE402B7352DB709E88CBA1
                      Function 001FB74C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FB751
                      • fputs.MSVCRT ref: 001FB76E
                      • fputs.MSVCRT ref: 001FB777
                        • Part of subcall function 001D1E53: __EH_prolog.LIBCMT ref: 001D1E58
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                      • fputs.MSVCRT ref: 001FB7BD
                      • fputs.MSVCRT ref: 001FB7C6
                      • fputs.MSVCRT ref: 001FB7CD
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      • fputs.MSVCRT ref: 001FB7FF
                      • fputs.MSVCRT ref: 001FB808
                      • fputs.MSVCRT ref: 001FB810
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prolog$fputcfree
                      • String ID: Modified: $Path: $Size:
                      • API String ID: 2632947726-3207571042
                      • Opcode ID: 5160e43c310e4a95fcbbb85090ac3ff62b93bbde81674bcb5c7a42a9ad62cb40
                      • Instruction ID: 274be100b56f69086cd92083890b66bd843aa0cc6816fc962994f351a65b54a1
                      • Opcode Fuzzy Hash: 5160e43c310e4a95fcbbb85090ac3ff62b93bbde81674bcb5c7a42a9ad62cb40
                      • Instruction Fuzzy Hash: 14219231A00219BBCF16BBA4DCC5EAEBF36EF94350F144016F9055A2E2EB314861EF91
                      Function 001FD2A9 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 323COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prolog
                      • String ID: Fv$@$data:
                      • API String ID: 2614055831-2890186661
                      • Opcode ID: 3db4a758e123a6529cb76c2fd1963846c10a298e33ddd0f9899191a174f3c9fe
                      • Instruction ID: d6e3b31a97bad547aed82bcb0a74be6d5c1be2ab58fb5e3c2177acaa19749b2d
                      • Opcode Fuzzy Hash: 3db4a758e123a6529cb76c2fd1963846c10a298e33ddd0f9899191a174f3c9fe
                      • Instruction Fuzzy Hash: BDC1B271A0020EEFCF14DFA4E894AFEB7B6FF58314F204559E20AA7291DB30A944CB51
                      Function 00201A61 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 114COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$fputc$__aulldiv
                      • String ID: Fv$ Time =$@T!$Kernel
                      • API String ID: 3602660170-3871659933
                      • Opcode ID: 21415b825cec49949f4bc1839a05ea39ca90252ebfee1b9213132bd62801906d
                      • Instruction ID: 017db0d4bf5e9261d4ce25852f9b637e9d1deba019d5a4448b4c816917d78453
                      • Opcode Fuzzy Hash: 21415b825cec49949f4bc1839a05ea39ca90252ebfee1b9213132bd62801906d
                      • Instruction Fuzzy Hash: 3331A372A10315BFEB14AF94EC46F9E77A9EF88710F11801AFA049B2D1D6B19D60CF94
                      Function 00201B85 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prolog
                      • String ID: $ Fv$ MB$ Memory =$@T!
                      • API String ID: 2614055831-1107575470
                      • Opcode ID: 112d61ef8a0f4c419a374bbd61fad7f42c93f062ffb471b3f328b2a6ef39563d
                      • Instruction ID: 67188be8fde4a3d0f2849e3f5e774f622e86eb081830f2f6f7823440581c16c2
                      • Opcode Fuzzy Hash: 112d61ef8a0f4c419a374bbd61fad7f42c93f062ffb471b3f328b2a6ef39563d
                      • Instruction Fuzzy Hash: A211C172A04305AFDB00AB94EC86EADBB74EF94310F204027F601532E2EB726860CF90
                      Function 001FC45B Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FC460
                      • EnterCriticalSection.KERNEL32(002156E0), ref: 001FC476
                      • fputs.MSVCRT ref: 001FC500
                      • LeaveCriticalSection.KERNEL32(002156E0), ref: 001FC639
                        • Part of subcall function 00202634: fputs.MSVCRT ref: 0020269D
                      • fputs.MSVCRT ref: 001FC546
                        • Part of subcall function 001D1F3A: fputs.MSVCRT ref: 001D1F57
                      • fputs.MSVCRT ref: 001FC5CE
                      • fputs.MSVCRT ref: 001FC5EB
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                      • String ID: Sub items Errors: $V!$V!
                      • API String ID: 2670240366-17563943
                      • Opcode ID: 3e10f3cd8dedee8c6fa0d5b9edcb74adfb4668f4f4719a0886931e74bcb6af65
                      • Instruction ID: 674e73c94c90c5bcb4f2df3f615389349e22c5b397bad971e28fd5b7266149f6
                      • Opcode Fuzzy Hash: 3e10f3cd8dedee8c6fa0d5b9edcb74adfb4668f4f4719a0886931e74bcb6af65
                      • Instruction Fuzzy Hash: 7851CF72601709DFDB25DF24D994ABAB7F2FF94310F14442EE69A87262CB317844EB90
                      Function 001FE07C Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs
                      • String ID: : Can not open the file as [$ERROR$Open $WARNING$] archive
                      • API String ID: 1795875747-2741933734
                      • Opcode ID: 38baeadabb50c7b12d25fee312d8da79715aa65fa69166ae60ed52c0fa924d9a
                      • Instruction ID: d9e4eb0dd5cc18f63b8eff3cc06079411be4103cfa131a4617e39b379e5966bf
                      • Opcode Fuzzy Hash: 38baeadabb50c7b12d25fee312d8da79715aa65fa69166ae60ed52c0fa924d9a
                      • Instruction Fuzzy Hash: FBF08272A153193BC7216755AC85D2EBF5ADFD9360B240067F505433D3EB6618309EA1
                      Function 001FC052 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FC057
                      • fputs.MSVCRT ref: 001FC157
                        • Part of subcall function 00202634: fputs.MSVCRT ref: 0020269D
                      • fputs.MSVCRT ref: 001FC23F
                      • fputs.MSVCRT ref: 001FC357
                      • fputs.MSVCRT ref: 001FC3A6
                        • Part of subcall function 001D1C92: fflush.MSVCRT ref: 001D1C94
                        • Part of subcall function 001D4B2F: __EH_prolog.LIBCMT ref: 001D4B34
                        • Part of subcall function 001D1CB4: __EH_prolog.LIBCMT ref: 001D1CB9
                        • Part of subcall function 001D1CB4: fputs.MSVCRT ref: 001D1D2C
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prolog$fflushfree
                      • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                      • API String ID: 1750297421-1898165966
                      • Opcode ID: 9f917be7fd7336d98ea31d4d2cf85b5ff39299dda439accac05aece6622f05b1
                      • Instruction ID: eeee11d46406c467fc0a89bf4b1c75f0ec5a2ac2a28516f96a1cff86f488b1f4
                      • Opcode Fuzzy Hash: 9f917be7fd7336d98ea31d4d2cf85b5ff39299dda439accac05aece6622f05b1
                      • Instruction Fuzzy Hash: 87B18E71601709EFEB25DF60C990BBAB7A1FF54300F14892EE65A47392CB30AC44DB90
                      Function 001D56AB Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 001D56B9
                      • GetTickCount.KERNEL32 ref: 001D56C4
                      • GetCurrentProcessId.KERNEL32 ref: 001D56CF
                      • GetTickCount.KERNEL32 ref: 001D572E
                      • SetLastError.KERNEL32(000000B7,?), ref: 001D5761
                      • GetLastError.KERNEL32(?), ref: 001D5787
                        • Part of subcall function 001D4FEA: __EH_prolog.LIBCMT ref: 001D4FEF
                        • Part of subcall function 001D4FEA: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001), ref: 001D5011
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CountCurrentErrorLastTick$CreateDirectoryH_prologProcessThread
                      • String ID: .tmp$d
                      • API String ID: 43677640-2797371523
                      • Opcode ID: 2df144c862191a03f6c0ae620d6696c4b0032c8e936b7bcfa77c041edd41f006
                      • Instruction ID: 5e17fab05a337fb09111ec633909f1d2f0593dae4d8ffc160e0b344bc058cf0e
                      • Opcode Fuzzy Hash: 2df144c862191a03f6c0ae620d6696c4b0032c8e936b7bcfa77c041edd41f006
                      • Instruction Fuzzy Hash: 8D312736A00214DBDF14AB64D89E7AC77B2AF61351F74401BE8079B382D7388C81CB51
                      Function 001FB5D3 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • V!, xrefs: 001FB5DF
                      • with the file from archive:, xrefs: 001FB64C
                      • Would you like to replace the existing file:, xrefs: 001FB627
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CriticalSectionfputs$EnterH_prologLeave
                      • String ID: Would you like to replace the existing file:$with the file from archive:$V!
                      • API String ID: 3914623533-2264032625
                      • Opcode ID: ce8fb23ad7f6986f1e7de682be8001efaa1273e37f47828662bc30b62931f9e6
                      • Instruction ID: 6c391451f13a0046cb05c4c8907fb4448f48360a1ca6d9cf76607c6cf46a848c
                      • Opcode Fuzzy Hash: ce8fb23ad7f6986f1e7de682be8001efaa1273e37f47828662bc30b62931f9e6
                      • Instruction Fuzzy Hash: 3D317C75218208DBDB15AF64D881BBE77A2EF88320F16815AEA0A97391CB34AC50DF55
                      Function 001FBB9F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CriticalSectionfputs$EnterH_prologLeave
                      • String ID: : $V!$V!
                      • API String ID: 3914623533-411086463
                      • Opcode ID: 2da6359fd96a4c4bbf25a90cbcef513fad9e1c5b3886aa4d13055f58c60c6aa5
                      • Instruction ID: 93f70f64e4dfa3d3fbee5ee916a6e58a627784d1715c78ead8644217a99d31cb
                      • Opcode Fuzzy Hash: 2da6359fd96a4c4bbf25a90cbcef513fad9e1c5b3886aa4d13055f58c60c6aa5
                      • Instruction Fuzzy Hash: 1A31AF71901309DFCB15EFA5D884EEAB7B5FF94314F50846EE95A8B262CB31A844CF60
                      Function 001D5A0B Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 29libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(kernel32.dll,FindFirstStreamW), ref: 001D5A31
                      • GetProcAddress.KERNEL32(00000000), ref: 001D5A3A
                      • GetModuleHandleA.KERNEL32(kernel32.dll,FindNextStreamW), ref: 001D5A47
                      • GetProcAddress.KERNEL32(00000000), ref: 001D5A4A
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: FindFirstStreamW$FindNextStreamW$LT!$kernel32.dll
                      • API String ID: 1646373207-3248230823
                      • Opcode ID: c9b122c94497c5fdf87ca7740d367310ec6d00765eb5e24ff18ef701cd3d6043
                      • Instruction ID: 00dc7e76aa48d584d9df1047b05cf5edf640e5c6fd2ceabbbe99a1b371fd9bc1
                      • Opcode Fuzzy Hash: c9b122c94497c5fdf87ca7740d367310ec6d00765eb5e24ff18ef701cd3d6043
                      • Instruction Fuzzy Hash: B5E0487176172867C7045FA97C4CC57F79CD6E635230145A7B107E32A3CAB568904E90
                      Function 001FB82D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$CriticalSection$EnterH_prologLeave
                      • String ID: V!
                      • API String ID: 1850570545-1153007120
                      • Opcode ID: 6d8b576d106591b9b64bfb68ec1b3ebe7059988eeacafcf0cc79b575e9c89fbf
                      • Instruction ID: 0af9f8feab3a434ebd5fbd10e6099cc98bba36866836a251c1245b2355a4b35b
                      • Opcode Fuzzy Hash: 6d8b576d106591b9b64bfb68ec1b3ebe7059988eeacafcf0cc79b575e9c89fbf
                      • Instruction Fuzzy Hash: 0551CD7160870AEFDB25DF20D8C4BBAB7A1FF99354F00842EE65A97291CB70A854CF51
                      Function 00203C11 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • fputs.MSVCRT ref: 00203C2C
                        • Part of subcall function 001D1C92: fflush.MSVCRT ref: 001D1C94
                      • GetStdHandle.KERNEL32(000000F6), ref: 00203C3E
                      • GetConsoleMode.KERNEL32(00000000,00000000), ref: 00203C60
                      • SetConsoleMode.KERNEL32(00000000,00000000), ref: 00203C71
                      • SetConsoleMode.KERNEL32(00000000,00000000), ref: 00203C91
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ConsoleMode$Handlefflushfputs
                      • String ID: Enter password (will not be echoed):$0T!
                      • API String ID: 108775803-2160140728
                      • Opcode ID: 0cab36d949b1e426e15f60cb4788e7f26a04a4b67da266aa574fde3bbdabd037
                      • Instruction ID: 99c645334dc815a4730541e7655bd95510a9fda4f38ba5112d5f101458ecce57
                      • Opcode Fuzzy Hash: 0cab36d949b1e426e15f60cb4788e7f26a04a4b67da266aa574fde3bbdabd037
                      • Instruction Fuzzy Hash: 3911A33691031ABBDB019BA4A849ABEBBBD9F85721F14415AE851B22E2CB304E51CB50
                      Function 001D8649 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 47libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 001D866D
                      • GetProcAddress.KERNEL32(00000000), ref: 001D8674
                      • GlobalMemoryStatus.KERNEL32(?), ref: 001D86B4
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressGlobalHandleMemoryModuleProcStatus
                      • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                      • API String ID: 2450578220-802862622
                      • Opcode ID: dc369b747b72a615c72d7ad322b5d2662710d8c1b729c38813874463ecac39f4
                      • Instruction ID: e577b60ce88ab3267f0f7527fd8521d2efd9f55ec43f1c6c39a6c7d2eb1e5669
                      • Opcode Fuzzy Hash: dc369b747b72a615c72d7ad322b5d2662710d8c1b729c38813874463ecac39f4
                      • Instruction Fuzzy Hash: 3E11357091130ADFDF14EFA4D859AAEBBF5BB04311F10441AE486AB381DB74E884CF54
                      Function 001F90B0 Relevance: 11.4, APIs: 9, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: memcmp
                      • String ID:
                      • API String ID: 1475443563-0
                      • Opcode ID: 06f65bff847e5167f141e30917cc46da942f35ddd3f4bc1fbd90768781b7df35
                      • Instruction ID: d842a1977dfefdfa62fed294edca5d1ae1c81ee7fa3928bcf2d6e7d5fb0131c6
                      • Opcode Fuzzy Hash: 06f65bff847e5167f141e30917cc46da942f35ddd3f4bc1fbd90768781b7df35
                      • Instruction Fuzzy Hash: 1231A1B17543096BDB19BE10DCCAFBA33AC9B617A4B018174FE059B282F774ED109A91
                      Function 001D125E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 134COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
                      • API String ID: 3519838083-2104980125
                      • Opcode ID: 435430d883ad7a46d6978e2bbe10c18f1b77265f86b085000d4f7b34ccaac5a0
                      • Instruction ID: 6cbdf5b5699967a4b18d375e859588f26b2ab2bc3202793ef73dfc29412d174c
                      • Opcode Fuzzy Hash: 435430d883ad7a46d6978e2bbe10c18f1b77265f86b085000d4f7b34ccaac5a0
                      • Instruction Fuzzy Hash: DD518C31A0024AFFCF14DF58C580AAABBB2BF12324F54815BE4559BB92D771EA41CB91
                      Function 001DC6CB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001DC6D0
                        • Part of subcall function 001D6150: __EH_prolog.LIBCMT ref: 001D6155
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DC714
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DC795
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DC7B2
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DC7D9
                        • Part of subcall function 001E96EC: __EH_prolog.LIBCMT ref: 001E96F1
                      Strings
                      • The file operation error for listfile, xrefs: 001DC742
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ExceptionThrow$H_prolog
                      • String ID: The file operation error for listfile
                      • API String ID: 206451386-4247703111
                      • Opcode ID: 564edff2f3bdce8125a229f2abe81fc9a07ed2a0485bf5c77a464cab39d61f20
                      • Instruction ID: cc71d4a235f55e88022fbd81188167dbfe52cc1375fde7d78f484fb301cbbef6
                      • Opcode Fuzzy Hash: 564edff2f3bdce8125a229f2abe81fc9a07ed2a0485bf5c77a464cab39d61f20
                      • Instruction Fuzzy Hash: 96417C7190021AABCF04EFD4D8859EEBBB5EF68310F10441AF90273292CB709A55DFE0
                      Function 001FBF75 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prologfputs
                      • String ID: Can not open the file$The archive is open with offset$The file is open$WARNING:
                      • API String ID: 1798449854-3393983761
                      • Opcode ID: 98160f285681151298a4fa0d39448a213b5696a32859673e10a6efe05f89c0cd
                      • Instruction ID: bcd18efb284a45e849ac81d737dfa26474774afb414426a058f4762d109f49e6
                      • Opcode Fuzzy Hash: 98160f285681151298a4fa0d39448a213b5696a32859673e10a6efe05f89c0cd
                      • Instruction Fuzzy Hash: 11216531A14609EFCB15EB64C9969BEB7F4EF68310F00402AF616977D2DB31AC56DB80
                      Function 001FFBB0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs
                      • String ID: Decoding ERROR$ Fv$8T!$@Fv$@T!
                      • API String ID: 1795875747-2996289530
                      • Opcode ID: 5603881ebbfa4bb0520f61aa6262b26d3b640e133c4d5c54012b74215e9575f1
                      • Instruction ID: 1fa6341b19d7f2273e9ad5b152597cb4082a5a1d2ff54b40a57d75d50fd97e39
                      • Opcode Fuzzy Hash: 5603881ebbfa4bb0520f61aa6262b26d3b640e133c4d5c54012b74215e9575f1
                      • Instruction Fuzzy Hash: E7217C30915259DBDF26DB94D895BECB770BF64300F1081E9E115621E2CB741E94CF51
                      Function 002013B3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32COMMON
                      Download Yara Rule
                      APIs
                      • _CxxThrowException.MSVCRT(?,002136D8), ref: 002013FE
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                      • fputs.MSVCRT ref: 002013DD
                      • fputs.MSVCRT ref: 002013E2
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$ExceptionThrowfputc
                      • String ID: 8T!$@Fv$ERROR:
                      • API String ID: 2339886702-157201810
                      • Opcode ID: 21a6778a0243b11d7d801db692c0caf8c5d364782cfab27b23012e6200f02517
                      • Instruction ID: 9632c09f88b86af951b218a36fcf66b83028519002aa695931c8100d95535a07
                      • Opcode Fuzzy Hash: 21a6778a0243b11d7d801db692c0caf8c5d364782cfab27b23012e6200f02517
                      • Instruction Fuzzy Hash: 0AF0A0B2A11318BBCB01BBD9DD8589EB7ADDF99711310005BE500A33A2CAB15E119B90
                      Function 00204900 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetVersionExW.KERNEL32 ref: 0020491A
                      • GetVersionExW.KERNEL32(?), ref: 00204921
                      • GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 00204941
                      • GetProcAddress.KERNEL32(00000000), ref: 00204948
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: Version$AddressHandleModuleProc
                      • String ID: SetDefaultDllDirectories$kernel32.dll
                      • API String ID: 2268189529-2102062458
                      • Opcode ID: 3cd3aafecc64f7ab626594e5c27cbc2f6be3e009f9db53469e5712b1a99a9b59
                      • Instruction ID: ed8cc95a924ab1b94ea4d9a3b72c7f613f688328e0f0c43095c21b2c554dd892
                      • Opcode Fuzzy Hash: 3cd3aafecc64f7ab626594e5c27cbc2f6be3e009f9db53469e5712b1a99a9b59
                      • Instruction Fuzzy Hash: 32F0A7B1615307ABEB14AFE4DC49A9B77D86B45B01F04C42DBA55D20C2D674C454CBA2
                      Function 001E6E87 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 473COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001E6E8C
                      • __aulldiv.LIBCMT ref: 001E6F4E
                      • __aulldiv.LIBCMT ref: 001E6F59
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: __aulldiv$H_prologfree
                      • String ID: 8$pB
                      • API String ID: 1133914492-3589495084
                      • Opcode ID: 537aab76ce57d8c6f0b8dc74a32fa9e7cd6832024a2f38d2c60c4f8406af03e9
                      • Instruction ID: 49bfaa38b2e61c2b33f69822166412fc14d4bf7990536600dcb42e8dae1a68ca
                      • Opcode Fuzzy Hash: 537aab76ce57d8c6f0b8dc74a32fa9e7cd6832024a2f38d2c60c4f8406af03e9
                      • Instruction Fuzzy Hash: D3128971904689EFDF14DFA9C880AEDBBB5BF58300F24856AF919AB291C7319E41CF50
                      Function 001D51C1 Relevance: 9.1, APIs: 6, Instructions: 102COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D51C6
                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000000), ref: 001D51E8
                      • GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 001D51F9
                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 001D5234
                      • GetLastError.KERNEL32 ref: 001D5242
                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 001D529A
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ErrorLast$CreateDirectory$H_prolog
                      • String ID:
                      • API String ID: 798237638-0
                      • Opcode ID: 76135bd53c59958d94178cb8038be98240d1f80f48919c813bec407c0dec8231
                      • Instruction ID: 268d9e38275863384e2ceddc2fdfd998858e4c19e8e076384248f79b54bf6864
                      • Opcode Fuzzy Hash: 76135bd53c59958d94178cb8038be98240d1f80f48919c813bec407c0dec8231
                      • Instruction Fuzzy Hash: 7531F131A04614EADF14EBA4DC86BEDBB76AF21310F14042BE90663392DB35898DEB50
                      Function 001D5ADA Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D5ADF
                        • Part of subcall function 001D58A4: FindClose.KERNELBASE(00000000,?,001D58DC), ref: 001D58AF
                      • SetLastError.KERNEL32(00000078,00000000,?,?), ref: 001D5B08
                      • SetLastError.KERNEL32(00000000,00000000,?,?), ref: 001D5B14
                      • FindFirstStreamW.KERNELBASE(?,00000000,?,00000000), ref: 001D5B35
                      • GetLastError.KERNEL32(?,?), ref: 001D5B42
                      • FindFirstStreamW.KERNELBASE(?,00000000,?,00000000), ref: 001D5B7E
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ErrorFindLast$FirstStream$CloseH_prolog
                      • String ID:
                      • API String ID: 1050961465-0
                      • Opcode ID: 7fee4f23b6720aa155ae2ae0b570ccdbe798a15fba7eee443984449e43a73815
                      • Instruction ID: 71a38c9c8ec5d5fe1fbd6db708416eee9fe36cf16d1ce34bc7b6c007bed19c80
                      • Opcode Fuzzy Hash: 7fee4f23b6720aa155ae2ae0b570ccdbe798a15fba7eee443984449e43a73815
                      • Instruction Fuzzy Hash: A021B030500A05EFCB20AF64E8899BEBB7BFB91360F10425BF89656392DB354989DF50
                      Function 00202A53 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMON
                      Download Yara Rule
                      APIs
                      • fputs.MSVCRT ref: 00202B0E
                        • Part of subcall function 00202634: fputs.MSVCRT ref: 0020269D
                      • fputs.MSVCRT ref: 00202C8F
                        • Part of subcall function 001D1C92: fflush.MSVCRT ref: 001D1C94
                      • fputs.MSVCRT ref: 00202BC1
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                        • Part of subcall function 001D1CB4: __EH_prolog.LIBCMT ref: 001D1CB9
                        • Part of subcall function 001D1CB4: fputs.MSVCRT ref: 001D1D2C
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prologfflushfputc
                      • String ID: ERRORS:$WARNINGS:
                      • API String ID: 1876658717-3472301450
                      • Opcode ID: 988b155d87a2d1d86a6990431e83ebdd5ccbde6e03c2f77ba3f5832b77387fe3
                      • Instruction ID: 4a0f2f3bab4046a032b667a0221326980e1b47f4730e6c61b0cd27954583b274
                      • Opcode Fuzzy Hash: 988b155d87a2d1d86a6990431e83ebdd5ccbde6e03c2f77ba3f5832b77387fe3
                      • Instruction Fuzzy Hash: 86713235610706EBDF29EF61C599BAEB3A2AF54300F04442FE85A57293CB30AC58DB51
                      Function 001F4A55 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 145COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001F4A5A
                        • Part of subcall function 001DFCD2: __EH_prolog.LIBCMT ref: 001DFCD7
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID: : $...$Junction: $REPARSE:
                      • API String ID: 3519838083-1476144188
                      • Opcode ID: 6acb9bbc23c2c78c347bf4a2842ce9c0ff863f7257ffdc6251c597c05c675f41
                      • Instruction ID: 679927e823512c28f1bfa193ecc6a8a54c138b99e5e7d805918392b9cc57a955
                      • Opcode Fuzzy Hash: 6acb9bbc23c2c78c347bf4a2842ce9c0ff863f7257ffdc6251c597c05c675f41
                      • Instruction Fuzzy Hash: 3F41E071A1021CABCF24FF54C891ABEBB75EFA4301F14401AE916A7383DB749E45D761
                      Function 001E3ECC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 140COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001E3ED1
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prologfree
                      • String ID: act:$ cpus:$ gran:$ page:
                      • API String ID: 1978129608-454015223
                      • Opcode ID: eb3649504d6795fe1a1143094ebdc32f329edc6ff3191a3c47549fe045c83d27
                      • Instruction ID: ab392bc240944b6964c6d1e5affe78a26261dcde1651ad37d7970bd9cfdb6568
                      • Opcode Fuzzy Hash: eb3649504d6795fe1a1143094ebdc32f329edc6ff3191a3c47549fe045c83d27
                      • Instruction Fuzzy Hash: 01419571700B4097DB38AE258C56ABE62B2ABA4700F00593DF577677C3CB789D849762
                      Function 001FCA84 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118stringCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: strlen$fputs
                      • String ID:
                      • API String ID: 1552308726-399585960
                      • Opcode ID: a1ec8e6855768a4a2a64812ad837f7c6dfaa9b5001ab0348ab4be7df44766a18
                      • Instruction ID: 257cc46aba45a53a570a812fb9c09d0768c5fb80c47b5161f045dddec6d91d6b
                      • Opcode Fuzzy Hash: a1ec8e6855768a4a2a64812ad837f7c6dfaa9b5001ab0348ab4be7df44766a18
                      • Instruction Fuzzy Hash: 7E41D83190020E9BDF24EF74D552BED77B5AF14340F10446AE516A7291DF34AE88DBD0
                      Function 001D4EEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D4EF3
                      • GetModuleHandleW.KERNEL32(kernel32.dll,CreateHardLinkW), ref: 001D4F0D
                      • GetProcAddress.KERNEL32(00000000), ref: 001D4F14
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressH_prologHandleModuleProc
                      • String ID: CreateHardLinkW$kernel32.dll
                      • API String ID: 786088110-294928789
                      • Opcode ID: b0fd9575db7a7e7124420aeabca2b3a2ba941bb7419f0f4c0b97813468f1866c
                      • Instruction ID: d59cdb3c5e80781e3c7bcc1544b7af201fcb2b34472dcea6b92f6549fa983a1a
                      • Opcode Fuzzy Hash: b0fd9575db7a7e7124420aeabca2b3a2ba941bb7419f0f4c0b97813468f1866c
                      • Instruction Fuzzy Hash: 32217A72D10229ABCF15EBA8DD46BEEB7B5AF54340F140527E812B33A2DB319D40DB60
                      Function 001D7DCD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,756EF5D0,000000FF,00000000,?,?,?,?,?,?,?,?,?,001D6760,00000001), ref: 001D7DE9
                      • GetProcAddress.KERNEL32(00000000), ref: 001D7DF0
                      • GetDiskFreeSpaceW.KERNEL32(00000001,001D6760,?,?,?,?,?,?,?,?,?,?,?,?,001D6760,00000001), ref: 001D7E40
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressDiskFreeHandleModuleProcSpace
                      • String ID: GetDiskFreeSpaceExW$kernel32.dll
                      • API String ID: 1197914913-1127948838
                      • Opcode ID: a2077ce0f929239fe48456e32fc82b22211da6810d3cf4a49a6d7d47cd1e2627
                      • Instruction ID: 48cd542c0533b3b3679d5da4245ee03dc5726ed61192dc543c7846e18646c9b1
                      • Opcode Fuzzy Hash: a2077ce0f929239fe48456e32fc82b22211da6810d3cf4a49a6d7d47cd1e2627
                      • Instruction Fuzzy Hash: D121F8B1900209AFDB11DF94C845EEEFBF8FF58300F14846AE955A7291E731A954CF60
                      Function 0020172A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 0020172F
                      • fputs.MSVCRT ref: 00201758
                        • Part of subcall function 001D4B2F: __EH_prolog.LIBCMT ref: 001D4B34
                        • Part of subcall function 001D1CB4: __EH_prolog.LIBCMT ref: 001D1CB9
                        • Part of subcall function 001D1CB4: fputs.MSVCRT ref: 001D1D2C
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      • fputs.MSVCRT ref: 0020179C
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prologfputs$fputcfree
                      • String ID: : $----------------
                      • API String ID: 1941438168-4071417161
                      • Opcode ID: 91b7318899848fde287a06f3381bba0f277b5672ec1c6e7e44c9fbdb8eebf8ba
                      • Instruction ID: 88fca091861f937b82fb69c398e38ab4d06c15e082f6ac60c4e58700715ad049
                      • Opcode Fuzzy Hash: 91b7318899848fde287a06f3381bba0f277b5672ec1c6e7e44c9fbdb8eebf8ba
                      • Instruction Fuzzy Hash: 17019632714211EFCB19AFA4E94A95EBBB2EF94311B10457EE016972E3DF319814DA50
                      Function 001FBA19 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FBA1E
                      • EnterCriticalSection.KERNEL32(002156E0), ref: 001FBA30
                      • fputs.MSVCRT ref: 001FBA80
                        • Part of subcall function 001D1CB4: __EH_prolog.LIBCMT ref: 001D1CB9
                        • Part of subcall function 001D1CB4: fputs.MSVCRT ref: 001D1D2C
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                        • Part of subcall function 001D1C92: fflush.MSVCRT ref: 001D1C94
                      • LeaveCriticalSection.KERNEL32(002156E0), ref: 001FBAAC
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CriticalH_prologSectionfputs$EnterLeavefflushfputc
                      • String ID: V!
                      • API String ID: 84800229-1153007120
                      • Opcode ID: 0b4ef2abb193bd778faaf10ebb94df19ea76ba0021c811bbffb277c07759fad0
                      • Instruction ID: 16e8a8b37caeaf4b25ff74118e4d5d94dd5182776e03c87fa484f38738001925
                      • Opcode Fuzzy Hash: 0b4ef2abb193bd778faaf10ebb94df19ea76ba0021c811bbffb277c07759fad0
                      • Instruction Fuzzy Hash: C3117C71610708EFCB11AF64E889AAEB7BAFF94310B10841AE95A93352DB31A800DB50
                      Function 002031C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 002031C9
                      • fputs.MSVCRT ref: 002031EC
                        • Part of subcall function 001D1CB4: __EH_prolog.LIBCMT ref: 001D1CB9
                        • Part of subcall function 001D1CB4: fputs.MSVCRT ref: 001D1D2C
                      • fputs.MSVCRT ref: 00203228
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prolog$fputcfree
                      • String ID: : $Write SFX:
                      • API String ID: 2632947726-2530961540
                      • Opcode ID: 6a6f0a81ede2bda176851dd5239dc1b49774f5721015ff665c2853adc44e8b72
                      • Instruction ID: f8b4c9f0329449e69b56c6dc69dc9db5a9f8fbe46e836287461c1f9a1377b26d
                      • Opcode Fuzzy Hash: 6a6f0a81ede2bda176851dd5239dc1b49774f5721015ff665c2853adc44e8b72
                      • Instruction Fuzzy Hash: 87018F32614304AFCB05AFA4ED02E9EBBB9EF94310F10402AF506A22E2DF716964DB50
                      Function 001E3E6B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemInfo.KERNEL32(?), ref: 001E3E8D
                        • Part of subcall function 001E3ECC: __EH_prolog.LIBCMT ref: 001E3ED1
                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 001E3EA7
                      • GetProcAddress.KERNEL32(00000000), ref: 001E3EAE
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressH_prologHandleInfoModuleProcSystem
                      • String ID: GetNativeSystemInfo$kernel32.dll
                      • API String ID: 2024292667-192647395
                      • Opcode ID: 0401dbf116cabf83ca4bd2446914339dca413ff9188514232dd1799ea24eb4c1
                      • Instruction ID: 4ea558987da61a473312ace2ebc3f118028f6d170d0e7522569f40a6aea10253
                      • Opcode Fuzzy Hash: 0401dbf116cabf83ca4bd2446914339dca413ff9188514232dd1799ea24eb4c1
                      • Instruction Fuzzy Hash: 65F0F0326107459FCB05EBA5D84DB9EBBF8AF85311F044548E016A71D3DBF4EA05CBA1
                      Function 001F9B58 Relevance: 7.8, APIs: 5, Instructions: 348COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: dc23426822183738a0a6766f37e166b34cc1273ee48072d607fc2645dd956b4b
                      • Instruction ID: b1a52804880b659fa726120f0358a9b47aa912d2a05cda4d7d36490e39462c86
                      • Opcode Fuzzy Hash: dc23426822183738a0a6766f37e166b34cc1273ee48072d607fc2645dd956b4b
                      • Instruction Fuzzy Hash: 15E1CF70900349EFDB25EFA8C884BAEBBF5BF59310F14845AE9469B362D735E940CB50
                      Function 001D3F2F Relevance: 7.7, APIs: 5, Instructions: 226COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: wcscmp$ExceptionH_prologThrow
                      • String ID:
                      • API String ID: 2750596395-0
                      • Opcode ID: 44729815f6f8cfcc36420a174b8f7f9ad69851e4b6d0260471d1d024d77d6703
                      • Instruction ID: aa541a94e855d3548b82e9fab64e9d5f1293b359d1cfcf37bf9d7a2605738f6b
                      • Opcode Fuzzy Hash: 44729815f6f8cfcc36420a174b8f7f9ad69851e4b6d0260471d1d024d77d6703
                      • Instruction Fuzzy Hash: 4491AE31D0024ADFCF14EFA8C585AEEBBB0AF25314F14406AE515B7392DB315A85CBA1
                      Function 001D312E Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                      • WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 001D3166
                      • GetLastError.KERNEL32 ref: 001D316F
                      • _CxxThrowException.MSVCRT(?,0020E118), ref: 001D318D
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000001,00000001), ref: 001D31F4
                      • _CxxThrowException.MSVCRT(0000FDE9,0020E118), ref: 001D321C
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                      • String ID:
                      • API String ID: 2296236218-0
                      • Opcode ID: 5107e8d7d6c45bd86f9991e6eeab43e785305dd67354ab2264e4d2154f443ebe
                      • Instruction ID: d8164f5026c1ae8a57735844f883505440240a050ec7bba3fd71b3f921beae4e
                      • Opcode Fuzzy Hash: 5107e8d7d6c45bd86f9991e6eeab43e785305dd67354ab2264e4d2154f443ebe
                      • Instruction Fuzzy Hash: EB31A17290420ABFEB11CFA4CC85BAEBBF9EF05344F14C15AE468D7241D7749A85CBA1
                      Function 001EE65A Relevance: 7.6, APIs: 6, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: memcmp
                      • String ID:
                      • API String ID: 1475443563-0
                      • Opcode ID: d4230bfba64efede1ec01ac6e43f3b68238ece917f57f6e088b33e6590de0ab3
                      • Instruction ID: e26037405e1be2826976b8ff52f7f520c34d4fdd3b98624b8016ad856920b953
                      • Opcode Fuzzy Hash: d4230bfba64efede1ec01ac6e43f3b68238ece917f57f6e088b33e6590de0ab3
                      • Instruction Fuzzy Hash: B421D1B1610308ABDB045E52DC86F7E33E8AB65794F018128FD458B283F760ED108B90
                      Function 001D4C2F Relevance: 7.6, APIs: 5, Instructions: 72filetimeCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D4C34
                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 001D4C73
                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,00000000), ref: 001D4CB3
                      • SetFileTime.KERNEL32(000000FF,?,?,?), ref: 001D4CD5
                      • CloseHandle.KERNEL32(000000FF), ref: 001D4CE3
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: File$Create$CloseH_prologHandleTime
                      • String ID:
                      • API String ID: 213185242-0
                      • Opcode ID: a8896681ea5ea3f23fbfc35028199637862f1996c9f94f64f2083841e0f4fc7a
                      • Instruction ID: 253b8e121acfd962acc045eac375eb0cb639414940023e2cf7df13c92f386a96
                      • Opcode Fuzzy Hash: a8896681ea5ea3f23fbfc35028199637862f1996c9f94f64f2083841e0f4fc7a
                      • Instruction Fuzzy Hash: 3D218E3190020AABDF219FA8DC45FEEBB7AFF04324F10422AE521762E1D7714A95DB50
                      Function 001FCD0A Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FCD0F
                      • fputs.MSVCRT ref: 001FCD2D
                      • fputs.MSVCRT ref: 001FCD52
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      • fputs.MSVCRT ref: 001FCD6C
                      • fputs.MSVCRT ref: 001FCD99
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prologfputcfree
                      • String ID:
                      • API String ID: 3247574066-0
                      • Opcode ID: 229ffc3ceacd8013df549eedf73555db1e410ebc5bdd97929ed01c5c33eab671
                      • Instruction ID: bd733f480679a2983dd7bd040737114609c3fc61d226879946b4ebd5345268c6
                      • Opcode Fuzzy Hash: 229ffc3ceacd8013df549eedf73555db1e410ebc5bdd97929ed01c5c33eab671
                      • Instruction Fuzzy Hash: C211B232900209ABCF05EFA8EC86F9EBB75EF54350F104166E615A71A2DB319A64DF90
                      Function 001DCC71 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$ExceptionThrow
                      • String ID: Incorrect volume size:
                      • API String ID: 2366012087-1799541332
                      • Opcode ID: c2d3dcd0528674ee0ca177e67e3bcf7d4b4bdb15bd1f1df8ff0fc35db4b27880
                      • Instruction ID: 92a562491b5883f40588567444b6972c28c423213ca6ea85eecc8529356f146b
                      • Opcode Fuzzy Hash: c2d3dcd0528674ee0ca177e67e3bcf7d4b4bdb15bd1f1df8ff0fc35db4b27880
                      • Instruction Fuzzy Hash: B2519E31904649DFDB14EFA8C845BEDB7F5BF24304F0448AAE44A6B392CB746A48CB91
                      Function 001DC4C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001DC4CC
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DC5D8
                      • _CxxThrowException.MSVCRT(00000000,0020EF08), ref: 001DC5F6
                        • Part of subcall function 001DC60C: __EH_prolog.LIBCMT ref: 001DC611
                        • Part of subcall function 001DC60C: _CxxThrowException.MSVCRT(00000000,0020EF08), ref: 001DC6B5
                      Strings
                      • There is no second file name for rename pair:, xrefs: 001DC5C5
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ExceptionThrow$H_prolog
                      • String ID: There is no second file name for rename pair:
                      • API String ID: 206451386-3412818124
                      • Opcode ID: d1a2e24c4baec2e7d624bd5b1d3e2cf3327af13dfbf54f8ca5788f169141a384
                      • Instruction ID: 6ec55d2b9a06ec3290f3a3d3ffb88759f78321777090f96e12cfefca588a2201
                      • Opcode Fuzzy Hash: d1a2e24c4baec2e7d624bd5b1d3e2cf3327af13dfbf54f8ca5788f169141a384
                      • Instruction Fuzzy Hash: C1414B71A0020AEFCF14DF54E895EAE7B72AF54324F10861AF9256B2D2C774E961CF90
                      Function 00203AC2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prolog
                      • String ID: 0T!
                      • API String ID: 2614055831-1234482316
                      • Opcode ID: 6034ea167435f5102d07b831183e29edbe1d4013690fdbff3a3b4720b7d2b4c7
                      • Instruction ID: d384ecc351d73f35e8a1a6fc4dc62e80d2a1587b36eeb1005800f3e2d024af16
                      • Opcode Fuzzy Hash: 6034ea167435f5102d07b831183e29edbe1d4013690fdbff3a3b4720b7d2b4c7
                      • Instruction Fuzzy Hash: CB314C316307169ADB24EF58E90ABF977B8EB1131CF10015BD501A62E3CFB09F65D640
                      Function 001FC8C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prologfputs
                      • String ID: Name$Size
                      • API String ID: 1798449854-481755742
                      • Opcode ID: b7fa640ad016c0c535d0801949a34f58e131f6cf724e8370f3127eca132e7516
                      • Instruction ID: 447d3c77bf5f70cc00add9845016699cd2f2ad1777750d2e6ed9ec6bec38d9a1
                      • Opcode Fuzzy Hash: b7fa640ad016c0c535d0801949a34f58e131f6cf724e8370f3127eca132e7516
                      • Instruction Fuzzy Hash: 2A31C331A0020C9BCB05EF64C995ABDB7B2BFA4310F144169E9696B392CB74AD41DBD0
                      Function 0020324E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$fputc
                      • String ID: : Removing files after including to archive$Removing
                      • API String ID: 1185151155-1218467041
                      • Opcode ID: 3be2299ad715726a61c622391f1067e3eed717c9605f0bcac4d00ec86698b177
                      • Instruction ID: e7f1b9bc322fa0aa48775bd2a94e8d545dd0bf9eff02a6aa9e8212799223daeb
                      • Opcode Fuzzy Hash: 3be2299ad715726a61c622391f1067e3eed717c9605f0bcac4d00ec86698b177
                      • Instruction Fuzzy Hash: 26318632514B45AFD765EF60C891BABB3A6AF65300F04481FE0AB03192DF707999DB51
                      Function 001E6C21 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001E6C26
                        • Part of subcall function 001E366C: memset.MSVCRT ref: 001E3684
                        • Part of subcall function 001E366C: strlen.MSVCRT ref: 001E36A2
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prologmemsetstrlen
                      • String ID: ?$ MB$RAM
                      • API String ID: 2475707007-294454972
                      • Opcode ID: 42f19c3c86e95bc3bfe0b59ea684c4946b0e7b0757f5fe342e2d21b6c3eac598
                      • Instruction ID: b72886af1a7a51f9b9cd8fee4786dec226c0246fa8529328428f28361206d884
                      • Opcode Fuzzy Hash: 42f19c3c86e95bc3bfe0b59ea684c4946b0e7b0757f5fe342e2d21b6c3eac598
                      • Instruction Fuzzy Hash: E8219F71310604AFCB14EF19C84AA6E7BB5EFA9710F104019F5428B3E1CB719D50DB91
                      Function 001FDF5D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prolog
                      • String ID: =
                      • API String ID: 2614055831-2525689732
                      • Opcode ID: a374d946a8ca3b612e688d56f7f47218548ea5dc4867035e7b2b0c5cd8c7f851
                      • Instruction ID: 898619dbc93077eab31c4487b2bab6d07691ab2528767b849ad89f4f8b1a2e09
                      • Opcode Fuzzy Hash: a374d946a8ca3b612e688d56f7f47218548ea5dc4867035e7b2b0c5cd8c7f851
                      • Instruction Fuzzy Hash: 8A216D32905118FFCB05EBD4E9429EEFBB5FF28310F20001BF50662292DB312A45DBA1
                      Function 001DC60C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001DC611
                        • Part of subcall function 001DD510: __EH_prolog.LIBCMT ref: 001DD515
                      • _CxxThrowException.MSVCRT(00000000,0020EF08), ref: 001DC6B5
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$ExceptionThrow
                      • String ID: -r0$Unsupported rename command:
                      • API String ID: 2366012087-1002762148
                      • Opcode ID: 7f515e8b9eae8288af1c21112ec3fc7fff683494d779fed800dc05023810afd1
                      • Instruction ID: c2ba370c9fba67724a303183e9d8924291714ff5f3ab0772d69099a71bc1fe09
                      • Opcode Fuzzy Hash: 7f515e8b9eae8288af1c21112ec3fc7fff683494d779fed800dc05023810afd1
                      • Instruction Fuzzy Hash: 8C114C71500209AACF14FBA4D8929FEBB79EF75315F00441BF91263393DB74AA49DAA0
                      Function 002037F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prolog
                      • String ID: :
                      • API String ID: 2614055831-3653984579
                      • Opcode ID: 3a793e2203e95a6c0ccc6a7c6b818fb72d92cc688b3384ff09681570acbcf67c
                      • Instruction ID: d4a430365d17265054f532fa6868d823d1614574bc9bf23260e35dd56a577ab0
                      • Opcode Fuzzy Hash: 3a793e2203e95a6c0ccc6a7c6b818fb72d92cc688b3384ff09681570acbcf67c
                      • Instruction Fuzzy Hash: 8C11A971A10705FBDB25EF60C882EAEF7B6EF90310F10841EE81A13292DB306950DB61
                      Function 002030D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prolog
                      • String ID: Archive size: $Files read from disk
                      • API String ID: 2614055831-3736835528
                      • Opcode ID: b50d135c6fe19e97cc30fd93104cd8898ff59778850214772a87204937d48633
                      • Instruction ID: 07e0b2e27a651588815e0f80a62f100657034ba60193fd7dfd38ecdbee292314
                      • Opcode Fuzzy Hash: b50d135c6fe19e97cc30fd93104cd8898ff59778850214772a87204937d48633
                      • Instruction Fuzzy Hash: D8115A31910205EFCB15EFA4C856BEEBBB5EF64300F008429E21A565E2DF3169A9DB80
                      Function 001FDDF7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FDDFC
                      • fputs.MSVCRT ref: 001FDE11
                      • fputs.MSVCRT ref: 001FDE1A
                        • Part of subcall function 001FDE75: __EH_prolog.LIBCMT ref: 001FDE7A
                        • Part of subcall function 001FDE75: fputs.MSVCRT ref: 001FDEB7
                        • Part of subcall function 001FDE75: fputs.MSVCRT ref: 001FDEED
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prolog
                      • String ID: =
                      • API String ID: 2614055831-2525689732
                      • Opcode ID: 813652d87c538f6987113766c7110740eab23c9d12b91758532edd4209685d2c
                      • Instruction ID: 7f23028dc7f64bb26afb16bcaa2ae2560560220bca3790ac4698243155bb9be7
                      • Opcode Fuzzy Hash: 813652d87c538f6987113766c7110740eab23c9d12b91758532edd4209685d2c
                      • Instruction Fuzzy Hash: 4C01D1B2A10108BBCF06BBA8D806AFEBF76AFA4300F00411AF50166293CF744A55DFD1
                      Function 001D7F14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 001D7F22
                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 001D7F32
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: RtlGetVersion$ntdll.dll
                      • API String ID: 1646373207-1489217083
                      • Opcode ID: d1a769732c45cd264c8e0d1b75524b0aa93f2c9761ae6e15c80cc3f20b0f31b1
                      • Instruction ID: 08a29fc12082c15cfc659bf8d1c42c2f4cd5c8ceafbcd839ddaf4e72ac04142e
                      • Opcode Fuzzy Hash: d1a769732c45cd264c8e0d1b75524b0aa93f2c9761ae6e15c80cc3f20b0f31b1
                      • Instruction Fuzzy Hash: 03F036B0A143295ADF346BB09C0B7E972A46B11708F0445959666E12C2E7B8DDC0DDA1
                      Function 001FB56D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FB572
                      • EnterCriticalSection.KERNEL32(002156E0), ref: 001FB583
                      • LeaveCriticalSection.KERNEL32(002156E0), ref: 001FB5BB
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterH_prologLeave
                      • String ID: V!
                      • API String ID: 367238759-1153007120
                      • Opcode ID: e13e4cc57bdab1bc5eb54da90980a84ff73683d83df49aad06bfe254dc9888eb
                      • Instruction ID: d34cc8ac0d6050913caadd67dfaf751dcab9a090ddf28ac349ac50aea450d7fc
                      • Opcode Fuzzy Hash: e13e4cc57bdab1bc5eb54da90980a84ff73683d83df49aad06bfe254dc9888eb
                      • Instruction Fuzzy Hash: DFF04935A20214DFDB08DF15D448BAA77B9EF95311F1480AEE506973A2C774D945CFE0
                      Function 001FBD1C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FBD21
                      • EnterCriticalSection.KERNEL32(002156E0), ref: 001FBD3B
                      • LeaveCriticalSection.KERNEL32(002156E0), ref: 001FBD57
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterH_prologLeave
                      • String ID: V!
                      • API String ID: 367238759-1153007120
                      • Opcode ID: 26627c4261c3caf6383a423f7725d5bdec2b86504472c038b7828bfd465cc30d
                      • Instruction ID: 6b2df51854d6d5dc232d3441bdeaaddd1929f1edb8e4de2493013b267014e67e
                      • Opcode Fuzzy Hash: 26627c4261c3caf6383a423f7725d5bdec2b86504472c038b7828bfd465cc30d
                      • Instruction Fuzzy Hash: EDF0B471910214EFC700DF58D808EDEBBB8FF45360F14805AF40593212C7B49E40CBA0
                      Function 001FB50D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FB512
                      • EnterCriticalSection.KERNEL32(002156E0), ref: 001FB523
                      • LeaveCriticalSection.KERNEL32(002156E0), ref: 001FB555
                        • Part of subcall function 00202763: GetTickCount.KERNEL32 ref: 00202778
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CriticalSection$CountEnterH_prologLeaveTick
                      • String ID: V!
                      • API String ID: 2547919631-1153007120
                      • Opcode ID: 1a7cbe8ee3e0d2d9da96d38cfc44825ffd0b8daab80bdf1bb7e88472e0a7525f
                      • Instruction ID: 89eecb17babd2b946c72fce0b3db7183c8bec79beed9ce45a0ef507826757743
                      • Opcode Fuzzy Hash: 1a7cbe8ee3e0d2d9da96d38cfc44825ffd0b8daab80bdf1bb7e88472e0a7525f
                      • Instruction Fuzzy Hash: 4DF09071A20324DFC704DF18D408FAD77A9EF99310F00806BF80697392C7749944CBA4
                      Function 001FCDB5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$fputc
                      • String ID: $:
                      • API String ID: 1185151155-4041779174
                      • Opcode ID: cc2c3bda7ce06286103c3fb04f43213f4104b39e1bc9da306da4b31a868c4b83
                      • Instruction ID: bf0cfff5a6c8fb179c6b4036b2fa53aca8d949456c9919d9e6a6a281da0d71a2
                      • Opcode Fuzzy Hash: cc2c3bda7ce06286103c3fb04f43213f4104b39e1bc9da306da4b31a868c4b83
                      • Instruction Fuzzy Hash: 1AF0A032900258BBCF226FA5DC09DDFBF79EFA9314F04040AEC9623291C735A525DBA1
                      Function 002023FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$fputc
                      • String ID: 8T!$@Fv
                      • API String ID: 1185151155-3385233085
                      • Opcode ID: 27c1d79d1f912eb02ba925d284486c02df3fcc94f36f89031b50d60c78ee74a8
                      • Instruction ID: 6fb0a606ee4efebef3dfaeaab851c920c60c08f71b0753ac07952e3ebd7d74c2
                      • Opcode Fuzzy Hash: 27c1d79d1f912eb02ba925d284486c02df3fcc94f36f89031b50d60c78ee74a8
                      • Instruction Fuzzy Hash: 28D02B72711320E7CB213BD46CC584EB358DFD4721302044BF940632D3C6224C219FD0
                      Function 001FEFB8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • fputs.MSVCRT ref: 001FEFC5
                      • fputs.MSVCRT ref: 001FEFCE
                        • Part of subcall function 001D1F3A: fputs.MSVCRT ref: 001D1F57
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$fputc
                      • String ID: Fv$Archives
                      • API String ID: 1185151155-2812094757
                      • Opcode ID: 20674569c80d793cab558a873e20d626f0f024c44b623115e39b1eb9c52f6ba4
                      • Instruction ID: 7ea3f11845cbf30514398fd071e9d9eb061ec1e777f4b96206b2faca40a34c4e
                      • Opcode Fuzzy Hash: 20674569c80d793cab558a873e20d626f0f024c44b623115e39b1eb9c52f6ba4
                      • Instruction Fuzzy Hash: 8AD0127261421177CB117B659C15C5FBAA6EFD47107150C1FF480422A1CB614865AFA1
                      Function 001E77A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(ntdll.dll,00000000,001E4867), ref: 001E77AA
                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 001E77BA
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: RtlGetVersion$ntdll.dll
                      • API String ID: 1646373207-1489217083
                      • Opcode ID: aaeca389ada527409b6fcceab9e0918595ac1026c807937067a5043d3a178428
                      • Instruction ID: 7a4cd910b0b9f328ad22ce4fe73043e2fb07e87b25d9dc6bbf6f02d7bddf7573
                      • Opcode Fuzzy Hash: aaeca389ada527409b6fcceab9e0918595ac1026c807937067a5043d3a178428
                      • Instruction Fuzzy Hash: 46D0A931B283226EFB5427B67C0EAEA22889F4AB107020492F802D10D3EBD08CC248A0
                      Function 0020210F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 16COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs
                      • String ID: Fv$@T!$Unsupported Windows version
                      • API String ID: 1795875747-1854733579
                      • Opcode ID: af1bcb90d84e6611237f12ec77d7fefca5ae0e1c06ca92298dfb49186a7f22aa
                      • Instruction ID: 5baf9b4a7f9c4efd9ddc424e756a6c77809602ac40664af899f4b763993f417e
                      • Opcode Fuzzy Hash: af1bcb90d84e6611237f12ec77d7fefca5ae0e1c06ca92298dfb49186a7f22aa
                      • Instruction Fuzzy Hash: 7DD0C773B58741DFD7055B88F45EB987760E788725F1044ABD103D51E2D7B554109710
                      Function 00204170 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,GetLargePageMinimum,001DB921), ref: 0020417A
                      • GetProcAddress.KERNEL32(00000000), ref: 00204181
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: GetLargePageMinimum$kernel32.dll
                      • API String ID: 1646373207-2515562745
                      • Opcode ID: deb6cd7fe0d17d430e31eaf15621de55044b005f7689c220bcf83b251546432b
                      • Instruction ID: abc5421602e8e6a3acc9cf8459081f8097397d5d1827f07e8208c2d5dffa664e
                      • Opcode Fuzzy Hash: deb6cd7fe0d17d430e31eaf15621de55044b005f7689c220bcf83b251546432b
                      • Instruction Fuzzy Hash: 8FD0C9B57617039ADF29AFB1BC0D629F658AA65B857048558E51AC20D3EF60C9A0CA20
                      Function 001D936C Relevance: 6.3, APIs: 5, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: memcmp
                      • String ID:
                      • API String ID: 1475443563-0
                      • Opcode ID: 069d28195f4aa21db931c36219845540da220d2ef5acc91519e1558fc0076590
                      • Instruction ID: e677c715b9a724c3e406058f4777bcdf49d0cd608a1903706d693f5a8bc32d8a
                      • Opcode Fuzzy Hash: 069d28195f4aa21db931c36219845540da220d2ef5acc91519e1558fc0076590
                      • Instruction Fuzzy Hash: EC11EFB13203047BCB149E20CC87FAA73A46B69710F018529FE49AB3C3F7B4F9619680
                      Function 001D3079 Relevance: 6.3, APIs: 5, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,000004B0,?,?,00000000,?,001D187B,0000FDE9,7FFFFFE0,?,?), ref: 001D30A5
                      • GetLastError.KERNEL32(?,00000000,?,001D187B,0000FDE9,7FFFFFE0,?,?,00000002,?,00000001,00000000), ref: 001D30AE
                      • _CxxThrowException.MSVCRT(00000000,0020E118), ref: 001D30C8
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?,001D187B,0000FDE9,7FFFFFE0,?,?,00000002), ref: 001D30ED
                      • _CxxThrowException.MSVCRT(00000000,0020E118), ref: 001D3103
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                      • String ID:
                      • API String ID: 2296236218-0
                      • Opcode ID: c7fb2304486a48e3406568c832afa0cbb47b15f2bd118a609e0d5c8a6b39a399
                      • Instruction ID: d73008951b8cbcc207badf367d153cec3eb8dc30f52ade508307864d24748f58
                      • Opcode Fuzzy Hash: c7fb2304486a48e3406568c832afa0cbb47b15f2bd118a609e0d5c8a6b39a399
                      • Instruction Fuzzy Hash: AA114CB1201206BFD714DF55CC81E6AB7E9EF44380B10852AF919C7241E770AE51CBA4
                      Function 001EB056 Relevance: 6.3, APIs: 4, Instructions: 300stringCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001EB05B
                        • Part of subcall function 001D43AF: __EH_prolog.LIBCMT ref: 001D43B4
                      • strcmp.MSVCRT ref: 001EB105
                        • Part of subcall function 001D150C: __EH_prolog.LIBCMT ref: 001D1511
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      • memset.MSVCRT ref: 001EB24A
                        • Part of subcall function 001EBE2E: __EH_prolog.LIBCMT ref: 001EBE33
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$freememsetstrcmp
                      • String ID:
                      • API String ID: 149676679-0
                      • Opcode ID: 1f7fb8fbaeae9ee948e25637de405ce3f88cfe8a55a999ec3cb064e9122b41c0
                      • Instruction ID: 0665bf102676c1c5ac352c2b60aae2b843be268eefec9df02359926883ce84d8
                      • Opcode Fuzzy Hash: 1f7fb8fbaeae9ee948e25637de405ce3f88cfe8a55a999ec3cb064e9122b41c0
                      • Instruction Fuzzy Hash: 58C17B31C04698EFCF05EBE5D9969EEFBB4FF24310F24815AE416A72A2CB305A45CB50
                      Function 002035E2 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 002035E7
                      • EnterCriticalSection.KERNEL32(00215708,?,00000001,?,?,00203952,?,0000006F,?,?,00000000), ref: 002035FB
                      • fputs.MSVCRT ref: 0020364C
                      • LeaveCriticalSection.KERNEL32(00215708,?,00000001,?,?,00203952,?,0000006F,?,?,00000000), ref: 00203711
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterH_prologLeavefputs
                      • String ID:
                      • API String ID: 2174113412-0
                      • Opcode ID: f324b9a8df6bde26bddc6ef208051de3f1cbc927b18820df351a3213bdf9ea21
                      • Instruction ID: da4f708621414b5fe3a8ed429307519856c9a0476c4f06ea4a354fa641754150
                      • Opcode Fuzzy Hash: f324b9a8df6bde26bddc6ef208051de3f1cbc927b18820df351a3213bdf9ea21
                      • Instruction Fuzzy Hash: BA31F271610746EFCB21DF64C490BAEBBEAFF55300F04442EE49A973A2CB326955CB41
                      Function 001E7ECC Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                      • GetFileSecurityW.ADVAPI32(?,00000007,?,?,?,00000000,?,00000000,?), ref: 001E7F1F
                      • GetLastError.KERNEL32(?,00000000,?), ref: 001E7F44
                      • GetFileSecurityW.ADVAPI32(?,00000007,?,?,?,?,?,00000000,?), ref: 001E7F81
                      • GetLastError.KERNEL32(?,?,?,?,?,00000000,?), ref: 001E7F97
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ErrorFileLastSecurity
                      • String ID:
                      • API String ID: 555121230-0
                      • Opcode ID: 67a9c8733a301013f4771e468e77e58eaca73439b3044391fd0ec3671b50ae8e
                      • Instruction ID: 9f657c2f90c1636a55218eca7c9c3ff48b805d7d7f66b05b4bdeab58c59bdffa
                      • Opcode Fuzzy Hash: 67a9c8733a301013f4771e468e77e58eaca73439b3044391fd0ec3671b50ae8e
                      • Instruction Fuzzy Hash: 90318F70904609EFEF14DFA5C884BEEBBB5FF44304F108959E466A7291D770AE81DBA0
                      Function 001D6DF8 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D6DFD
                      • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,00000000), ref: 001D6E49
                      • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 001D6E76
                      • memcpy.MSVCRT ref: 001D6E95
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                      • String ID:
                      • API String ID: 1689166341-0
                      • Opcode ID: 567bd98cae83fbe0adccf90defcff9d246490669aec12c3aab644fad24440323
                      • Instruction ID: 9f0907e80e0239e0fae59d9b4c87336303415f77730548bb1b168037e231d1f4
                      • Opcode Fuzzy Hash: 567bd98cae83fbe0adccf90defcff9d246490669aec12c3aab644fad24440323
                      • Instruction Fuzzy Hash: 2D217FB6900244BEDF10EF94DD81EEEBBB9EF94780F10452EF94567291C7315E448A60
                      Function 001FA47E Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FA483
                      • EnterCriticalSection.KERNEL32(002156C0), ref: 001FA49F
                      • LeaveCriticalSection.KERNEL32(002156C0), ref: 001FA4C7
                      • LeaveCriticalSection.KERNEL32(002156C0), ref: 001FA508
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CriticalSection$Leave$EnterH_prolog
                      • String ID:
                      • API String ID: 2532973370-0
                      • Opcode ID: da024dd8d4703529d8ec280aa8c75a1b96e99ad8466c18e38ddb57d0ba0da6e0
                      • Instruction ID: f5cddf4cd22770e27a6f3ced9ca01093fbaa1d6991864ad3849902a05bb685ec
                      • Opcode Fuzzy Hash: da024dd8d4703529d8ec280aa8c75a1b96e99ad8466c18e38ddb57d0ba0da6e0
                      • Instruction Fuzzy Hash: 4911AC757007159BC710CF58D8D8A7EB7E9BF8D710B548528E60ED7702C7B8AC418BA1
                      Function 001D4FEA Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001D4FEF
                      • CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001), ref: 001D5011
                      • GetLastError.KERNEL32(?,00000000,?,00000000,00000001), ref: 001D501B
                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000000,00000001), ref: 001D5052
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CreateDirectory$ErrorH_prologLast
                      • String ID:
                      • API String ID: 1817354178-0
                      • Opcode ID: 33518489d289c9e85e96a1d022f7889b3e1cf2f51dec2f0fcaf77961b9894ee2
                      • Instruction ID: 181802f966aa39c87ad94d615d8c541ac612f1f673fd9533fd53ab4a65e30ffa
                      • Opcode Fuzzy Hash: 33518489d289c9e85e96a1d022f7889b3e1cf2f51dec2f0fcaf77961b9894ee2
                      • Instruction Fuzzy Hash: 3601DD32904715A7CF146B649986BBE7776DF50350F140027F903A33D2DB654D45DAE1
                      Function 001FA51B Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001FA520
                      • EnterCriticalSection.KERNEL32(002156C0), ref: 001FA535
                      • _CxxThrowException.MSVCRT(?,0020E118), ref: 001FA572
                      • LeaveCriticalSection.KERNEL32(002156C0,00000000,00000000,?,0020E118), ref: 001FA58B
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterExceptionH_prologLeaveThrow
                      • String ID:
                      • API String ID: 4150843469-0
                      • Opcode ID: 4375eab0574bd0ee46f8778148016e433723b70320c267210cbd4552d0272926
                      • Instruction ID: f508ac500f8c3ba55835374aad27c024d2fac9f8f884e7469f4ddc1c53ed37ca
                      • Opcode Fuzzy Hash: 4375eab0574bd0ee46f8778148016e433723b70320c267210cbd4552d0272926
                      • Instruction Fuzzy Hash: 3F01D2B291021EEFDB04DF44D845AEEB778FF54305F008026E50562652D774AE54CBA0
                      Function 00204630 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                      Download Yara Rule
                      APIs
                      • _beginthreadex.MSVCRT ref: 00204645
                      • SetThreadAffinityMask.KERNEL32(00000000,?), ref: 0020465E
                      • ResumeThread.KERNEL32(00000000), ref: 00204665
                      • GetLastError.KERNEL32 ref: 00204677
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: Thread$AffinityErrorLastMaskResume_beginthreadex
                      • String ID:
                      • API String ID: 3268521904-0
                      • Opcode ID: 5fc12b9804cf5472bc8cb6a824e58bb8873bc3791f9ef3857c0d90f48b697da4
                      • Instruction ID: aa470a771e00bf718df2827e4fc89682ef4d0d8825a460515b4733e61984dbcd
                      • Opcode Fuzzy Hash: 5fc12b9804cf5472bc8cb6a824e58bb8873bc3791f9ef3857c0d90f48b697da4
                      • Instruction Fuzzy Hash: 44F090722053125BD310AF58AC0CF6B7769ABC1B61F008119F605C61D2D7619C96C7A1
                      Function 002034B5 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 002034BA
                      • fputs.MSVCRT ref: 002034E9
                      • fputs.MSVCRT ref: 002034F2
                      • fputs.MSVCRT ref: 002034F9
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$H_prologfputcfree
                      • String ID:
                      • API String ID: 3247574066-0
                      • Opcode ID: 31d51563227446e4a5b5a97040d457e4558dc130e2ebfa35a80d146f91ed3771
                      • Instruction ID: 10c7f5d3649f460ef324cd069b0265ec01e26bdd1135a7e2a4205a2ea8e7d1fb
                      • Opcode Fuzzy Hash: 31d51563227446e4a5b5a97040d457e4558dc130e2ebfa35a80d146f91ed3771
                      • Instruction Fuzzy Hash: B1F09072D00119ABCB06BB94DC429AEFF75EF64350F104027E506232E2DB710961DFC0
                      Function 001EB609 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 426COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001EB60E
                        • Part of subcall function 001E7DE9: __EH_prolog.LIBCMT ref: 001E7DEE
                        • Part of subcall function 001E98C0: __EH_prolog.LIBCMT ref: 001E98C5
                        • Part of subcall function 001EBBA8: __EH_prolog.LIBCMT ref: 001EBBAD
                        • Part of subcall function 001EB056: __EH_prolog.LIBCMT ref: 001EB05B
                        • Part of subcall function 001EB056: strcmp.MSVCRT ref: 001EB105
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$freestrcmp
                      • String ID: Scanning error
                      • API String ID: 4197192761-2691707340
                      • Opcode ID: 33c64a4d507b69cade2c78ae55e4e0911345a133d1571202d7f9bcb8943f78bf
                      • Instruction ID: 67d86b9c177a433996a89fd165b7707b7efb7db8fd42377df065e24ce629e2f5
                      • Opcode Fuzzy Hash: 33c64a4d507b69cade2c78ae55e4e0911345a133d1571202d7f9bcb8943f78bf
                      • Instruction Fuzzy Hash: 7D02E270908699EFCF15DFA5C894BEEBBB0BF14310F1480A9E45AA7292DB309E44CF51
                      Function 001E39A2 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 266COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001E39A7
                        • Part of subcall function 002045F0: _beginthreadex.MSVCRT ref: 00204604
                      • __aulldiv.LIBCMT ref: 001E3C3C
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog__aulldiv_beginthreadex
                      • String ID:
                      • API String ID: 2901374343-3916222277
                      • Opcode ID: 0699ed0d85ecb9dfc480b7f9ccb4315f49ef88e355408422752e31ff67bd9176
                      • Instruction ID: b86403b4187ad7ce024b822b50aa354d00e7ef55ca2e9602a26b11112dced2c1
                      • Opcode Fuzzy Hash: 0699ed0d85ecb9dfc480b7f9ccb4315f49ef88e355408422752e31ff67bd9176
                      • Instruction Fuzzy Hash: 28A191B1E006459FCB24DFA6C8859AEFBB5FF88310F24852EE566A7251C730AE45CF50
                      Function 001EF1AD Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID: Unknown error$Unknown warning
                      • API String ID: 3519838083-4291957651
                      • Opcode ID: 45599b70b02bd92528f2c5d9697a5ad832b7b3b15d03e323d4b4d2e75397581f
                      • Instruction ID: bf1935406f758ce9b96ec0dff785f56887d298fec000bca21b01c1847c2fe04a
                      • Opcode Fuzzy Hash: 45599b70b02bd92528f2c5d9697a5ad832b7b3b15d03e323d4b4d2e75397581f
                      • Instruction Fuzzy Hash: 5C913971A01749CFCB24DFA5C991AEEB7B1FF58304F50456DE85AA7280DB70AE0ACB50
                      Function 00202763 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: CountTickfputs
                      • String ID: .
                      • API String ID: 290905099-4150638102
                      • Opcode ID: ff5b24f64817d0ef52e6c881be64824e0844a05a69a4c50068b140cdbfeaf3a5
                      • Instruction ID: 71aa6fff9e90c7d856e6af04ff77f6aa0b5e695711eac69a5b8a900ad3402336
                      • Opcode Fuzzy Hash: ff5b24f64817d0ef52e6c881be64824e0844a05a69a4c50068b140cdbfeaf3a5
                      • Instruction Fuzzy Hash: 6A714B30610B05EFCB21EF68C599AAAF7F6AF90304F50491EE49797692DB70F949CB10
                      Function 001DCEDA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001DCEDF
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DD0B1
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Strings
                      • incorrect update switch command, xrefs: 001DD09E
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ExceptionH_prologThrowfree
                      • String ID: incorrect update switch command
                      • API String ID: 2564996034-2497410926
                      • Opcode ID: f76fcf6b1869d5e52b54805e6941472acf92c93ec93c723f6cafbd98ba7a381b
                      • Instruction ID: 1516f5916e645998cbdf8fb8118a04942ee3194c53f219a5370fd25c45f05b51
                      • Opcode Fuzzy Hash: f76fcf6b1869d5e52b54805e6941472acf92c93ec93c723f6cafbd98ba7a381b
                      • Instruction Fuzzy Hash: D5514732C01259EBDF24EB94DA41BEDBBB5BF64310F20458AE51677291CB706E45CBA0
                      Function 001D420B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: wcscmp
                      • String ID: UNC
                      • API String ID: 3392835482-337201128
                      • Opcode ID: 4e7ec4119f737de94cf3191bb63f8e1cd45f0d1daa516151e2a6071abf093fea
                      • Instruction ID: 678fc9c4a10db0566e17390dccde843df7b2797f4ba8c97ad7c48618f847994c
                      • Opcode Fuzzy Hash: 4e7ec4119f737de94cf3191bb63f8e1cd45f0d1daa516151e2a6071abf093fea
                      • Instruction Fuzzy Hash: 0F2162357006019FD724CF98E9D5E22B3E1EF59350729886BF5469B796C731EC41CB40
                      Function 001E31DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID: $pB
                      • API String ID: 3519838083-2237891951
                      • Opcode ID: 3692975cb9487cf9774e8be4d98d8a522ec803d0a4b2e28fb459b77c2ce9b554
                      • Instruction ID: 34dab2ff16d0cfed05e6ff205d5ed34b60e73eba3d7d90bf9bf3ede54e069b76
                      • Opcode Fuzzy Hash: 3692975cb9487cf9774e8be4d98d8a522ec803d0a4b2e28fb459b77c2ce9b554
                      • Instruction Fuzzy Hash: C121A271E00B5A8BCF14DFE9C8884FEF7B2BF58300F204629C662B3281C7744A46DA60
                      Function 002026C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68stringCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: __aulldivstrlen
                      • String ID: M
                      • API String ID: 1892184250-3664761504
                      • Opcode ID: b8309cace89ecf32abb88b187cf3c50570066d239d7242cb6a59f9ecc5093e40
                      • Instruction ID: 9cf8022a25017bbd60d211b10f8050aacb7fbee71f4c949942a0b6d6d3796d40
                      • Opcode Fuzzy Hash: b8309cace89ecf32abb88b187cf3c50570066d239d7242cb6a59f9ecc5093e40
                      • Instruction Fuzzy Hash: 08112672610344AADB11EAB8D855FAEB7ED9B98314F14482EE342931D3C671B8098720
                      Function 001DD24F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001DD254
                      • _CxxThrowException.MSVCRT(?,0020EF08), ref: 001DD2F1
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ExceptionH_prologThrow
                      • String ID: Unsupported charset:
                      • API String ID: 461045715-616772432
                      • Opcode ID: 7f92ef30c136b14e5c1e9dd828751d6b80ac86d940e70c351b79b9c42a08c8e4
                      • Instruction ID: 91a402b2e4610199a69849cde87c9a828a455b44786ccbd936b04265adba367c
                      • Opcode Fuzzy Hash: 7f92ef30c136b14e5c1e9dd828751d6b80ac86d940e70c351b79b9c42a08c8e4
                      • Instruction Fuzzy Hash: 5F213A72A00209ABCF04EFD8D481DEEB771EF99314F15416AF9466B392CB31AD45CB90
                      Function 001FBE7A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID: 0$x
                      • API String ID: 3519838083-1948001322
                      • Opcode ID: 7887c4c2bfb387cee06a21689acbf5faf886cb8a203963e2cd0ab1b1b0dbc1bb
                      • Instruction ID: 5acfeb8e9053ddee0ab532fa55d5ad09855c5db0ac5dbd705da0a3f814d9a3d0
                      • Opcode Fuzzy Hash: 7887c4c2bfb387cee06a21689acbf5faf886cb8a203963e2cd0ab1b1b0dbc1bb
                      • Instruction Fuzzy Hash: 25214A32D0121DABCF15EB98D991AEEF7B5FF68314F10015AE51177282DB755E04CBA0
                      Function 001E3321 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID: / $ :
                      • API String ID: 3519838083-1815150141
                      • Opcode ID: fdb11d30e60d0aea8fb76579fb3efc62401b6c0390e0c2ac78c36ea2db33f2cb
                      • Instruction ID: 88a497fe39c607142a3f4b044cb0136b43f37f2498f4c82f7122eb1889c55004
                      • Opcode Fuzzy Hash: fdb11d30e60d0aea8fb76579fb3efc62401b6c0390e0c2ac78c36ea2db33f2cb
                      • Instruction Fuzzy Hash: 94112E32910218ABCF14EB94DC56EEEB3B4BF68700F04041EF12673692DF78AA14CB20
                      Function 001DE47A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 001DE47F
                      • GetLastError.KERNEL32(?), ref: 001DE48B
                        • Part of subcall function 001D4B2F: __EH_prolog.LIBCMT ref: 001D4B34
                        • Part of subcall function 001D1AB0: free.MSVCRT(00000000,001ED714,00000001,00000001,?,?,001D10EB,?,00000000), ref: 001D1AB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: H_prolog$ErrorLastfree
                      • String ID: :
                      • API String ID: 683690243-3653984579
                      • Opcode ID: a95947a69eb5f0f122a889e932c17b1c1aa03b93e91b097eeb0755edcd075fd8
                      • Instruction ID: fbfafdd7b86f103cb9649c5206355edb2fa5cd0333f3bf7e129df4ed14bf4c45
                      • Opcode Fuzzy Hash: a95947a69eb5f0f122a889e932c17b1c1aa03b93e91b097eeb0755edcd075fd8
                      • Instruction Fuzzy Hash: FC01C432D00205ABCB04FBA8C546AEEBBB5AF64311F10445AF502A7392CF719A45CBA0
                      Function 001FE13B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • Can not open the file as archive, xrefs: 001FE186
                      • Can not open encrypted archive. Wrong password?, xrefs: 001FE14E
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs
                      • String ID: Can not open encrypted archive. Wrong password?$Can not open the file as archive
                      • API String ID: 1795875747-2399861261
                      • Opcode ID: b42664b28c75d4afd4d49d829193ca2c18adf7f02e8d60fa88d05d028b74511c
                      • Instruction ID: 344c46f41ba3b74373cbbb8d4a49a7f490fd7ab0c8fcb674088bd7d8d93d70bd
                      • Opcode Fuzzy Hash: b42664b28c75d4afd4d49d829193ca2c18adf7f02e8d60fa88d05d028b74511c
                      • Instruction Fuzzy Hash: 3B01D671354300BBC719DB65C495A7EB3D79FD8301F24451AFA02437D1DF71A811AB41
                      Function 00201A11 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs
                      • String ID: Fv$@T!
                      • API String ID: 1795875747-2418029004
                      • Opcode ID: 378ef9b9fe0f99440fcf47f97c651f2c25273458dde68a3678b5c60638b1d5af
                      • Instruction ID: 151a557ebe2d0b410dceb81ba906828a0e2b4cc940ebec0c762abf09ae820c44
                      • Opcode Fuzzy Hash: 378ef9b9fe0f99440fcf47f97c651f2c25273458dde68a3678b5c60638b1d5af
                      • Instruction Fuzzy Hash: 06F05932A092256FDF116B68AC49AEDBFB8EBA9350F100517E802A3192D7215865C3A0
                      Function 001FDD93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs
                      • String ID: =
                      • API String ID: 1795875747-2525689732
                      • Opcode ID: c77b1fa8cc8728233222fb6b60b8e9a91d0343868f7d21a08d2f8377133228f3
                      • Instruction ID: e6bb06804bdde770951c51b03d5d63ec0c6d64f9e5f705baff2f3dc05f8bb5bc
                      • Opcode Fuzzy Hash: c77b1fa8cc8728233222fb6b60b8e9a91d0343868f7d21a08d2f8377133228f3
                      • Instruction Fuzzy Hash: 0AE0D876A0021967DF04A7D8BC598BA7B3AFBC13507540822F51197282F770E821CFD1
                      Function 001DCC15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                      Download Yara Rule
                      APIs
                      • OpenEventW.KERNEL32(00000002,00000000,00000002,Unsupported Map data size,00000002,?,001DCBD1,?,?,00000000,?), ref: 001DCC26
                      • GetLastError.KERNEL32(?,001DCBD1,?,?,00000000,?), ref: 001DCC33
                      Strings
                      • Unsupported Map data size, xrefs: 001DCC19
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: ErrorEventLastOpen
                      • String ID: Unsupported Map data size
                      • API String ID: 330508107-1172413320
                      • Opcode ID: 5132286360ae6722211cebc51c83c6d26f0fe9e0145f960c0c3b07297902a67b
                      • Instruction ID: a21e0406ebf3d5dbfed7dd07286c80cde21447a996eb97b3153180765e8aff0e
                      • Opcode Fuzzy Hash: 5132286360ae6722211cebc51c83c6d26f0fe9e0145f960c0c3b07297902a67b
                      • Instruction Fuzzy Hash: C9E06D71520214EBEB14EFA4ED0BB99B7B8AF10754F20405AA542A2292FBB26E00DA54
                      Function 00202233 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • fputs.MSVCRT ref: 0020224A
                        • Part of subcall function 001D1EB9: fputs.MSVCRT ref: 001D1ED6
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$fputc
                      • String ID: 8T!$@Fv
                      • API String ID: 1185151155-3385233085
                      • Opcode ID: 50ac847db15692ec6baa450a8749395cd74a6e4b64422292b101b7f96e40b963
                      • Instruction ID: b373519501ab6183cb361caf05ec64168e2b151f7186fe93471a0b8bce447d7b
                      • Opcode Fuzzy Hash: 50ac847db15692ec6baa450a8749395cd74a6e4b64422292b101b7f96e40b963
                      • Instruction Fuzzy Hash: C8E01A75A14611DFCF029FA4E84E46DBBB1EB583207500086F901A73A2DB215C50AB80
                      Function 002022AD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 002023FE: fputs.MSVCRT ref: 0020241F
                        • Part of subcall function 002023FE: fputs.MSVCRT ref: 00202424
                      • fputs.MSVCRT ref: 002022CE
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$fputc
                      • String ID: 8T!$@Fv
                      • API String ID: 1185151155-3385233085
                      • Opcode ID: 2584723089b90b9314ae650fd3c516ae099175e238d4ce9f0bc4eb0884c4b91c
                      • Instruction ID: 56762b4cab78ce2bf10fdc1ef4b04bb0e259fde7fa35635937f2d55687757801
                      • Opcode Fuzzy Hash: 2584723089b90b9314ae650fd3c516ae099175e238d4ce9f0bc4eb0884c4b91c
                      • Instruction Fuzzy Hash: A6D05B75E28710DFC71197F8B40E44D77E0EF9932139004D9F401D72E3CA1594109B55
                      Function 002022E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 002023FE: fputs.MSVCRT ref: 0020241F
                        • Part of subcall function 002023FE: fputs.MSVCRT ref: 00202424
                      • fputs.MSVCRT ref: 00202302
                        • Part of subcall function 001D1CA1: fputc.MSVCRT ref: 001D1CA8
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: fputs$fputc
                      • String ID: 8T!$@Fv
                      • API String ID: 1185151155-3385233085
                      • Opcode ID: 0f940956ee795390d307ef7707227b5b6c45e05d081ee132cb4271a849f71715
                      • Instruction ID: 188dbefb941c9efa378268e0fa4fca20bcbf9b121f2c671d79a9136e8470aa52
                      • Opcode Fuzzy Hash: 0f940956ee795390d307ef7707227b5b6c45e05d081ee132cb4271a849f71715
                      • Instruction Fuzzy Hash: DED0A772938610EBCB0267E0B80E48CBBA1EF9532139000DEF801A31F3CA1504209F01
                      Function 001F37A7 Relevance: 5.1, APIs: 4, Instructions: 58COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: memcmp
                      • String ID:
                      • API String ID: 1475443563-0
                      • Opcode ID: 1d15d91be9ebd8f7224275aeb9a34546803c544a658ff4e43175a6c887c8e200
                      • Instruction ID: 8683dbf1d47fcd9d88226198b5f01511144e71877400a91724a2362ac74df72e
                      • Opcode Fuzzy Hash: 1d15d91be9ebd8f7224275aeb9a34546803c544a658ff4e43175a6c887c8e200
                      • Instruction Fuzzy Hash: 8511E1B271030867CB049F14CC86FBA73A49B65750F068668FF05EB2C3E7B4FA208690
                      Function 001DDC8E Relevance: 5.1, APIs: 4, Instructions: 58COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: memcmp
                      • String ID:
                      • API String ID: 1475443563-0
                      • Opcode ID: dc9b98837fd52a5fdd1255a994b40f58e6c0e6b95c09ca3aabd5d34b38f159a0
                      • Instruction ID: d69bdf476078311150426523820d5d7b73c2766ef1d3cf02dff7cf0384975e82
                      • Opcode Fuzzy Hash: dc9b98837fd52a5fdd1255a994b40f58e6c0e6b95c09ca3aabd5d34b38f159a0
                      • Instruction Fuzzy Hash: 0611E1B136030467CB189E64DC46FBA73A89BA5710F058569FE059B3C2E7A0F9608A84
                      Function 001F2A0B Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: memcmp
                      • String ID:
                      • API String ID: 1475443563-0
                      • Opcode ID: dbe7cb19f3312d78d893b730906a37b2e40e1c0cda94df69dc0bd8a65ece95fe
                      • Instruction ID: 6d84f051f6bbc7184dec87b32ef43c6608e38272e9ec7748136582a07396e7cc
                      • Opcode Fuzzy Hash: dbe7cb19f3312d78d893b730906a37b2e40e1c0cda94df69dc0bd8a65ece95fe
                      • Instruction Fuzzy Hash: F401E1B13503096BC7259E14CC42FB973A49B65B10F058528FF459B2C3F3B4F9208A50
                      Function 00200F53 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000006.00000002.1421028280.00000000001D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 001D0000, based on PE: true
                      • Associated: 00000006.00000002.1420985673.00000000001D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421108447.0000000000209000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421159778.0000000000215000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000006.00000002.1421199456.0000000000219000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_1d0000_7z.jbxd
                      Similarity
                      • API ID: memcmp
                      • String ID:
                      • API String ID: 1475443563-0
                      • Opcode ID: 4787cda8fa5c1039673bdc4240d703490fa874e8249c481ae8e8616187a4d1d9
                      • Instruction ID: ace5045a61a9a7a84c31032e53105113a449fb0291a8bd8e05889baaab19800a
                      • Opcode Fuzzy Hash: 4787cda8fa5c1039673bdc4240d703490fa874e8249c481ae8e8616187a4d1d9
                      • Instruction Fuzzy Hash: 8701C4B13603076BE7205E14CC8BFB973A45B65740F058428FE49AB2C3FAA4F870A695

                      Execution Graph

                      Execution Coverage:1.7%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:8.9%
                      Total number of Nodes:1778
                      Total number of Limit Nodes:184
                      execution_graph 78926 404c30 RegOpenKeyW 78927 404c53 RegQueryValueExW 78926->78927 78928 404cca 78926->78928 78929 404cb4 RegCloseKey 78927->78929 78930 404c84 78927->78930 78934 5bb938 78930->78934 78933 404c9f RegQueryValueExW 78933->78929 78935 5bb93e 78934->78935 78937 404c96 78935->78937 78938 43e62b 78935->78938 78937->78929 78937->78933 78941 43e63d 78938->78941 78943 43e63a 78941->78943 78944 43e644 _rand 78941->78944 78943->78935 78944->78943 78945 43e669 78944->78945 78946 43e696 78945->78946 78949 43e6d9 78945->78949 78952 43e6c4 78946->78952 78963 441906 78946->78963 78948 43e748 RtlAllocateHeap 78959 43e6cb 78948->78959 78951 43e6fb 78949->78951 78949->78952 78950 43e6ac 78978 446147 5 API calls _rand 78950->78978 78954 441906 _wctomb_s 28 API calls 78951->78954 78952->78948 78952->78959 78956 43e702 78954->78956 78955 43e6b7 78979 43e6d0 LeaveCriticalSection _wctomb_s 78955->78979 78980 44700c 6 API calls _rand 78956->78980 78959->78944 78960 43e715 78981 43e72f LeaveCriticalSection _wctomb_s 78960->78981 78962 43e722 78962->78952 78962->78959 78964 44195c EnterCriticalSection 78963->78964 78965 44191e 78963->78965 78964->78950 78966 43e62b _wctomb_s 27 API calls 78965->78966 78967 441926 78966->78967 78971 441934 78967->78971 78982 43e9cb 7 API calls _rand 78967->78982 78968 441906 _wctomb_s 27 API calls 78970 44193c 78968->78970 78972 441943 InitializeCriticalSection 78970->78972 78973 44194d 78970->78973 78971->78968 78974 441952 78972->78974 78983 43e542 78973->78983 79000 441967 LeaveCriticalSection 78974->79000 78977 44195a 78977->78964 78978->78955 78979->78952 78980->78960 78981->78962 78982->78971 78984 43e570 78983->78984 78985 43e61c 78983->78985 78986 43e57a 78984->78986 78987 43e5b5 78984->78987 78985->78974 78988 441906 _wctomb_s 28 API calls 78986->78988 78990 441906 _wctomb_s 28 API calls 78987->78990 78998 43e5a6 78987->78998 78991 43e581 ___free_lc_time 78988->78991 78989 43e60e RtlFreeHeap 78989->78985 78995 43e5c1 ___free_lc_time 78990->78995 78992 43e59b 78991->78992 79001 445e1e VirtualFree VirtualFree HeapFree ___free_lc_time 78991->79001 79002 43e5ac LeaveCriticalSection _wctomb_s 78992->79002 78996 43e5ed 78995->78996 79003 446fc7 VirtualFree HeapFree VirtualFree ___free_lc_time 78995->79003 79004 43e604 LeaveCriticalSection _wctomb_s 78996->79004 78998->78985 78998->78989 79000->78977 79001->78992 79002->78998 79003->78996 79004->78998 79005 43e8c3 GetVersion 79037 445bd4 HeapCreate 79005->79037 79007 43e921 79008 43e926 79007->79008 79009 43e92e 79007->79009 79235 43e9f0 8 API calls _rand 79008->79235 79049 4421fc 37 API calls _rand 79009->79049 79012 43e933 79014 43e937 79012->79014 79015 43e93f 79012->79015 79236 43e9f0 8 API calls _rand 79014->79236 79050 447c1c 34 API calls 2 library calls 79015->79050 79019 43e949 GetCommandLineA 79051 447aea 37 API calls 2 library calls 79019->79051 79021 43e959 79237 44789d 49 API calls 2 library calls 79021->79237 79023 43e963 79052 4477e4 48 API calls 3 library calls 79023->79052 79025 43e968 79026 43e96d GetStartupInfoA 79025->79026 79053 44778c 48 API calls 79026->79053 79028 43e97f 79029 43e988 79028->79029 79030 43e991 GetModuleHandleA 79029->79030 79054 41e220 79030->79054 79032 43e9a3 79238 4415ea 32 API calls 79032->79238 79034 43e9ac 79239 447614 36 API calls _rand 79034->79239 79036 43e9bd 79038 445bf4 79037->79038 79039 445c2a 79037->79039 79240 445a8c 57 API calls _wctomb_s 79038->79240 79039->79007 79041 445bf9 79042 445c10 79041->79042 79043 445c03 79041->79043 79045 445c2d 79042->79045 79242 446d14 5 API calls _rand 79042->79242 79241 445dab HeapAlloc 79043->79241 79045->79007 79046 445c0d 79046->79045 79048 445c1e HeapDestroy 79046->79048 79048->79039 79049->79012 79050->79019 79051->79021 79052->79025 79053->79028 79055 41e22a _wctomb_s 79054->79055 79243 4061b0 79055->79243 79058 41e279 79059 41e29d _rand 79058->79059 79527 4245b0 78 API calls ctype 79058->79527 79247 58c5f1 79059->79247 79063 41e2e9 79065 41e320 79063->79065 79528 41d4c0 62 API calls 79063->79528 79269 4732d0 79065->79269 79068 41e329 OpenSCManagerA 79070 41e340 OpenServiceA 79068->79070 79071 41e3dd 79068->79071 79069 41e398 79529 464dc0 79069->79529 79072 41e357 ControlService 79070->79072 79073 41e38f CloseServiceHandle 79070->79073 79272 403e80 79071->79272 79076 41e381 DeleteService 79072->79076 79077 41e37a 79072->79077 79073->79071 79080 41e388 CloseServiceHandle 79076->79080 79077->79076 79077->79080 79079 41e3b9 79082 41e3d4 79079->79082 79532 467100 79079->79532 79080->79073 79544 464d40 79082->79544 79088 41e3cb 79541 464e10 79088->79541 79089 41e544 79369 41d1e0 79089->79369 79093 41e401 79093->79089 79548 473240 106 API calls 79093->79548 79094 41e549 GetWindowsDirectoryA 79402 43cb32 79094->79402 79098 41e40e 79098->79089 79549 41e1e0 236 API calls 79098->79549 79099 43cb32 48 API calls 79100 41e5ee 79099->79100 79407 41d060 79100->79407 79103 41e420 79103->79089 79106 41e42b 79103->79106 79105 41ec8a 79105->79032 79550 408d10 109 API calls 79106->79550 79107 43cb32 48 API calls 79109 41e62a CopyFileA 79107->79109 79111 43cb32 48 API calls 79109->79111 79110 41e434 79551 401000 79110->79551 79113 41e665 CopyFileA 79111->79113 79116 43cb32 48 API calls 79113->79116 79115 401000 51 API calls 79117 41e44d 79115->79117 79118 41e696 79116->79118 79555 5b8b2f 62 API calls 79117->79555 79414 421680 79118->79414 79121 41e45d CreateProcessA 79123 41e4e2 79121->79123 79124 41e4ae 79121->79124 79128 41e4f3 79123->79128 79129 41e4e6 WaitForSingleObject 79123->79129 79556 4558c0 37 API calls ctype 79124->79556 79127 41e6b8 79442 421870 79127->79442 79579 41e1e0 236 API calls 79128->79579 79129->79128 79130 41e4bc 79557 4245b0 78 API calls ctype 79130->79557 79135 41e4fd 79138 41e52b 79135->79138 79580 4245b0 78 API calls ctype 79135->79580 79136 41e4d6 79558 456240 79136->79558 79137 41e6d4 79451 4217d0 79137->79451 79581 5bb267 79138->79581 79145 41e537 79145->79089 79145->79094 79146 41e6e7 79148 43cb32 48 API calls 79146->79148 79147 41e816 79460 401d50 79147->79460 79150 41e721 DeleteFileA 79148->79150 79152 41e755 79150->79152 79153 41e73e 79150->79153 79151 41e81d 79465 41cb70 GetFileAttributesA 79151->79465 79157 43cb32 48 API calls 79152->79157 79587 4245b0 78 API calls ctype 79153->79587 79156 41e823 79478 402230 79156->79478 79159 41e777 DeleteFileA 79157->79159 79161 41e7ea 79159->79161 79162 41e78e 79159->79162 79163 41e80d 79161->79163 79588 4245b0 78 API calls ctype 79161->79588 79166 43cb32 48 API calls 79162->79166 79163->79147 79164 41e837 79169 402230 120 API calls 79164->79169 79165 41e849 79589 4d52c0 93 API calls 79165->79589 79170 41e7c5 DeleteFileA MoveFileA 79166->79170 79172 41e83e 79169->79172 79170->79161 79171 41e84e 79173 402230 120 API calls 79171->79173 79174 41cb70 99 API calls 79172->79174 79175 41e856 79173->79175 79211 41e844 79174->79211 79590 40eb60 136 API calls 79175->79590 79177 41e85c 79177->79211 79178 43cb32 48 API calls 79178->79211 79179 41e948 79180 43cb32 48 API calls 79179->79180 79182 41e967 79180->79182 79183 401d50 120 API calls 79182->79183 79185 41e974 79183->79185 79184 43cb32 48 API calls 79187 41e8c7 CopyFileA 79184->79187 79186 43cb32 48 API calls 79185->79186 79188 41e987 CopyFileA 79186->79188 79187->79211 79189 41e9a7 79188->79189 79190 41e9fa 79188->79190 79592 4558c0 37 API calls ctype 79189->79592 79493 436b50 79190->79493 79193 4558c0 37 API calls 79193->79211 79194 41e9b8 79593 4558c0 37 API calls ctype 79194->79593 79197 41ea1e 79199 4732d0 106 API calls 79197->79199 79202 41ea26 79199->79202 79201 41e9cc 79594 4245b0 78 API calls ctype 79201->79594 79204 41ec22 RegCreateKeyA 79202->79204 79205 41ea2e OpenSCManagerA 79202->79205 79208 41ec73 ShellExecuteA 79204->79208 79209 41ec3f RegSetValueExA RegCloseKey 79204->79209 79205->79105 79210 41ea9b OpenServiceA 79205->79210 79206 456240 32 API calls 79206->79211 79207 41e9e5 79212 456240 32 API calls 79207->79212 79208->79105 79209->79208 79213 41eb02 79210->79213 79214 41eab2 CreateServiceA 79210->79214 79211->79178 79211->79179 79211->79184 79211->79193 79211->79206 79484 401c70 79211->79484 79591 4245b0 78 API calls ctype 79211->79591 79215 41e9f1 79212->79215 79596 41d740 83 API calls 79213->79596 79216 41eaeb ChangeServiceConfig2A 79214->79216 79217 41ebcc 79214->79217 79219 456240 32 API calls 79215->79219 79216->79217 79220 41ebf0 79217->79220 79599 4245b0 78 API calls ctype 79217->79599 79219->79190 79600 41d680 16 API calls 79220->79600 79221 41eb08 79223 41eb21 QueryServiceConfigA 79221->79223 79224 41eb0f ChangeServiceConfig2A 79221->79224 79223->79217 79226 41eb61 79223->79226 79224->79223 79228 41eba8 ChangeServiceConfigA 79226->79228 79597 43d25f 44 API calls _wctomb_s 79226->79597 79227 41ebf8 79229 41ec07 CloseServiceHandle CloseServiceHandle 79227->79229 79230 41ebfc StartServiceA 79227->79230 79228->79217 79229->79032 79230->79229 79232 41eb84 79232->79228 79598 43d25f 44 API calls _wctomb_s 79232->79598 79234 41eba1 79234->79217 79234->79228 79237->79023 79238->79034 79239->79036 79240->79041 79241->79046 79242->79046 79244 4061c9 79243->79244 79601 406560 79244->79601 79246 4061e2 79246->79058 79521 43c6a0 79246->79521 79248 58c62f InterlockedIncrement 79247->79248 79265 58c605 79247->79265 79249 58c651 79248->79249 79250 58c643 InterlockedDecrement 79248->79250 79252 58c6a4 79249->79252 79253 58c667 79249->79253 79251 441906 _wctomb_s 29 API calls 79250->79251 79251->79249 79684 443dec 9 API calls _wctomb_s 79252->79684 79255 58c66c 79253->79255 79256 58c676 InterlockedDecrement 79253->79256 79683 441967 LeaveCriticalSection 79255->79683 79256->79265 79257 58c6bb 79259 58c6e9 _rand 79257->79259 79260 43e62b _wctomb_s 29 API calls 79257->79260 79261 58c70e InterlockedDecrement 79259->79261 79262 58c704 79259->79262 79264 58c6ca 79260->79264 79263 58c70b 79261->79263 79686 441967 LeaveCriticalSection 79262->79686 79267 43e542 ___free_lc_time 29 API calls 79263->79267 79264->79259 79685 443dec 9 API calls _wctomb_s 79264->79685 79265->79063 79267->79265 79687 472be0 79269->79687 79271 41e325 79271->79068 79271->79069 79273 403ea1 79272->79273 79274 464dc0 2 API calls 79273->79274 79275 403ecf 79274->79275 79276 403ef5 79275->79276 79859 4041f0 79275->79859 79277 401c70 120 API calls 79276->79277 79280 403efe 79277->79280 79279 403ee9 79281 464e10 RegCloseKey 79279->79281 79809 401cf0 79280->79809 79281->79276 79285 403f0e 79845 5bb2d5 79285->79845 79287 5bb3f0 35 API calls 79311 403f20 79287->79311 79291 4040f9 79292 404158 79291->79292 79293 404123 79291->79293 79884 5b993a 36 API calls 79291->79884 79294 464dc0 2 API calls 79292->79294 79297 404147 79293->79297 79885 5b993a 36 API calls 79293->79885 79296 404170 79294->79296 79298 4041a8 79296->79298 79303 40418c 79296->79303 79304 40417c 79296->79304 79886 5b9aa8 32 API calls ___free_lc_time 79297->79886 79301 5bb267 ctype 32 API calls 79298->79301 79306 4041b6 79301->79306 79887 466540 41 API calls 79303->79887 79307 467100 38 API calls 79304->79307 79853 5b96c4 79306->79853 79308 40418a 79307->79308 79312 464e10 RegCloseKey 79308->79312 79309 5b9aa8 32 API calls 79309->79311 79311->79287 79311->79309 79316 404040 79311->79316 79880 5b8b2f 62 API calls 79311->79880 79881 444040 44 API calls _wctomb_s 79311->79881 79312->79298 79314 464d40 RegCloseKey 79315 4041d5 79314->79315 79318 404370 79315->79318 79316->79291 79317 5b9aa8 32 API calls 79316->79317 79882 5b8b2f 62 API calls 79316->79882 79883 444040 44 API calls _wctomb_s 79316->79883 79317->79316 79319 404391 79318->79319 79320 464dc0 2 API calls 79319->79320 79321 4043bf 79320->79321 79322 4043e5 79321->79322 79323 4041f0 40 API calls 79321->79323 79324 401000 51 API calls 79322->79324 79325 4043d9 79323->79325 79326 4043ee 79324->79326 79327 464e10 RegCloseKey 79325->79327 79931 401030 79326->79931 79327->79322 79332 5bb267 ctype 32 API calls 79351 4043fe 79332->79351 79333 40452c 79335 40458b 79333->79335 79337 404556 79333->79337 79967 5b993a 36 API calls 79333->79967 79336 464dc0 2 API calls 79335->79336 79338 4045a3 79336->79338 79341 40457a 79337->79341 79968 5b993a 36 API calls 79337->79968 79340 4045db 79338->79340 79342 4045bf 79338->79342 79343 4045af 79338->79343 79344 5b96c4 32 API calls 79340->79344 79969 5b9aa8 32 API calls ___free_lc_time 79341->79969 79970 466540 41 API calls 79342->79970 79347 467100 38 API calls 79343->79347 79349 4045e9 79344->79349 79350 4045bd 79347->79350 79352 464d40 RegCloseKey 79349->79352 79353 464e10 RegCloseKey 79350->79353 79351->79332 79351->79333 79354 5b9aa8 32 API calls 79351->79354 79965 5b8b2f 62 API calls 79351->79965 79966 444040 44 API calls _wctomb_s 79351->79966 79355 4045fa 79352->79355 79353->79340 79354->79351 79356 41d8a0 GetCurrentProcessId 79355->79356 79974 415e60 79356->79974 79360 41d8e3 79988 4170f0 79360->79988 79362 41d918 79363 41d941 79362->79363 80014 4245b0 78 API calls ctype 79362->80014 79992 43e141 79363->79992 79370 4732d0 106 API calls 79369->79370 79371 41d1e5 79370->79371 79374 41d249 79371->79374 80420 473220 106 API calls 79371->80420 79373 41d1ee 79373->79374 80421 473410 106 API calls 79373->80421 80415 4254c0 154 API calls ctype 79374->80415 79377 41d25d 80416 425660 79377->80416 79379 41d1f7 79381 41d212 79379->79381 79382 41d1fb 79379->79382 79380 41d267 80426 431800 184 API calls ctype 79380->80426 80424 42ad90 59 API calls 79381->80424 80422 409ed0 110 API calls 79382->80422 79385 41d200 79389 41d219 79385->79389 80423 429d00 514 API calls 79385->80423 79387 41d27b 80427 431b60 Sleep 79387->80427 79389->79374 79391 41d210 79389->79391 79391->79389 80425 41d290 50 API calls 79391->80425 79392 41d285 80428 431d00 81 API calls 79392->80428 79395 431dab 79397 431daf 79395->79397 79398 431ddd 79395->79398 80429 4245b0 78 API calls ctype 79395->80429 79396 41d246 79396->79374 79397->79094 80430 42bc40 145 API calls 79398->80430 79401 431e00 79401->79094 80431 44257b 79402->80431 79406 41e5cc 79406->79099 80441 41cfa0 79407->80441 79409 41d09b 79410 41d0b2 GetSystemDirectoryA 79409->79410 79411 41d13b 79409->79411 79410->79411 79412 43c6a0 29 API calls 79411->79412 79413 41d1c7 79412->79413 79413->79105 79413->79107 79415 4216cc 79414->79415 80458 421480 79415->80458 79417 41e6a4 79418 4559d0 79417->79418 79419 4559f4 79418->79419 79420 455b4e 79418->79420 79421 4559ff 79419->79421 79422 455b39 lstrlenW 79419->79422 79420->79127 80475 5c754e 28 API calls ctype 79421->80475 79422->79420 79423 455b46 79422->79423 79425 455d10 31 API calls 79423->79425 79425->79420 79426 455a0e 80476 45a260 FindResourceExA LoadResource 79426->80476 79428 455a23 79429 455a3b 79428->79429 79438 455a8e 79428->79438 79430 455a50 79429->79430 79431 455a43 lstrlenW 79429->79431 80477 4561a0 34 API calls ctype 79430->80477 79431->79430 79433 455a58 79433->79127 79439 455b21 79438->79439 80478 455d10 79438->80478 80495 455ee0 32 API calls ctype 79438->80495 80496 5c754e 28 API calls ctype 79438->80496 80497 45a260 FindResourceExA LoadResource 79438->80497 80498 456fe0 35 API calls ctype 79439->80498 79441 455b2a 79441->79127 80499 421840 79442->80499 79446 4218a3 80536 4218f0 79446->80536 79448 4218b4 79449 456240 32 API calls 79448->79449 79450 41e6c1 79449->79450 79450->79137 79586 421ca0 75 API calls 79450->79586 79452 45cf60 32 API calls 79451->79452 79453 421803 79452->79453 79454 456240 32 API calls 79453->79454 79455 421810 79454->79455 79456 456240 32 API calls 79455->79456 79457 42181d 79456->79457 79458 456240 32 API calls 79457->79458 79459 41e6df 79458->79459 79459->79146 79459->79147 79461 401df0 79460->79461 79462 401d5d 79460->79462 79461->79151 79463 401c70 120 API calls 79462->79463 79464 401d6e 79463->79464 79464->79151 79466 41cba0 79465->79466 79467 41cb8b 79465->79467 80638 4d5330 79466->80638 79468 41cbb8 79467->79468 79469 41cb8f 79467->79469 79474 41cbc0 SetFileAttributesA 79468->79474 79475 41cbc4 79468->79475 79471 41cb93 SetFileAttributesA 79469->79471 79472 41cb99 DeleteFileA 79469->79472 79471->79472 79472->79466 79473 41cba5 CreateDirectoryA 79476 41cbb1 79473->79476 79477 41cbb5 GetFileAttributesA 79473->79477 79474->79475 79475->79156 79476->79156 79477->79468 79479 402239 79478->79479 79483 40225d GetFileAttributesA 79478->79483 79480 401c70 120 API calls 79479->79480 79481 402248 79480->79481 79482 43cb32 48 API calls 79481->79482 79482->79483 79483->79164 79483->79165 79485 401c9d 79484->79485 79486 401c79 79484->79486 79485->79211 80646 473240 106 API calls 79486->80646 79488 401c88 79489 401c98 79488->79489 79490 401cdb 79488->79490 80647 478ee0 51 API calls 79489->80647 80648 479420 51 API calls 79490->80648 79494 436ba0 79493->79494 79495 436b7a 79493->79495 79498 436c58 79494->79498 80753 402270 120 API calls 79494->80753 80752 4245b0 78 API calls ctype 79495->80752 79500 436e1a 79498->79500 79501 401030 51 API calls 79498->79501 79506 43cb32 48 API calls 79498->79506 79510 4558c0 37 API calls 79498->79510 79517 4245b0 78 API calls 79498->79517 79520 456240 32 API calls 79498->79520 80649 436430 79498->80649 80760 43d3f4 44 API calls _wctomb_s 79498->80760 79499 436bbc 80754 402370 120 API calls 79499->80754 79503 41ea08 79500->79503 80761 4245b0 78 API calls ctype 79500->80761 79501->79498 79503->79197 79595 4347c0 155 API calls ctype 79503->79595 79504 436bd6 80755 4037d0 120 API calls 79504->80755 79506->79498 79508 436bf0 80756 4022f0 120 API calls 79508->80756 79510->79498 79511 436c0a 80757 4023f0 120 API calls 79511->80757 79515 436c24 80758 403710 120 API calls 79515->80758 79517->79498 79518 436c3e 80759 403950 120 API calls 79518->80759 79520->79498 79522 43c6c4 79521->79522 79524 43c6b3 _rand 79521->79524 79523 441906 _wctomb_s 29 API calls 79522->79523 79526 43c6cc 79523->79526 79524->79058 80929 441967 LeaveCriticalSection 79526->80929 79527->79059 79528->79065 79530 464dd0 RegOpenKeyExA 79529->79530 79531 464dc9 RegCloseKey 79529->79531 79530->79079 79531->79530 79533 46710b 79532->79533 79536 46711f 79532->79536 79534 467113 RegDeleteValueA 79533->79534 79535 467129 79533->79535 79534->79536 80930 466f70 36 API calls ctype 79535->80930 79536->79088 79538 467130 79538->79536 79539 467156 RegDeleteKeyA 79538->79539 79540 467144 79538->79540 79539->79088 79540->79088 79542 464e20 79541->79542 79543 464e19 RegCloseKey 79541->79543 79542->79082 79543->79542 79545 464d50 79544->79545 79546 464d49 RegCloseKey 79544->79546 79545->79071 79546->79545 79547 4734b0 106 API calls 79547->79093 79548->79098 79549->79103 79550->79110 79552 401009 79551->79552 79554 401024 79551->79554 80931 479420 51 API calls 79552->80931 79554->79115 79555->79121 79556->79130 79557->79136 79559 456252 InterlockedDecrement 79558->79559 79578 4562be 79558->79578 79560 456260 79559->79560 79559->79578 79561 45626d 79560->79561 79562 45627a 79560->79562 80932 43bcd8 EnterCriticalSection LeaveCriticalSection 79561->80932 79564 456282 79562->79564 79565 45628f 79562->79565 80933 43bcd8 EnterCriticalSection LeaveCriticalSection 79564->80933 79566 4562a4 79565->79566 79567 456297 79565->79567 79572 4562ad 79566->79572 79573 4562b9 79566->79573 80934 43bcd8 EnterCriticalSection LeaveCriticalSection 79567->80934 79568 456278 79568->79123 79570 45628d 79570->79123 80935 43bcd8 EnterCriticalSection LeaveCriticalSection 79572->80935 79576 5bb961 ctype 29 API calls 79573->79576 79574 4562a2 79574->79123 79576->79578 79577 4562b7 79577->79123 79578->79123 79579->79135 79580->79138 79582 5bb28f 79581->79582 79583 5bb277 InterlockedDecrement 79581->79583 79582->79145 79583->79582 79584 5bb285 79583->79584 80936 5bb156 31 API calls ctype 79584->80936 79586->79137 79587->79152 79588->79163 79589->79171 79590->79177 79591->79211 79592->79194 79593->79201 79594->79207 79595->79197 79596->79221 79597->79232 79598->79234 79599->79220 79600->79227 79659 404750 79601->79659 79604 404750 56 API calls 79605 40659f 79604->79605 79606 404750 56 API calls 79605->79606 79607 4065cd 79606->79607 79608 404750 56 API calls 79607->79608 79609 4065f7 79608->79609 79664 4046f0 57 API calls 79609->79664 79611 406648 79669 4046f0 57 API calls 79611->79669 79612 40660d 79612->79611 79619 406626 79612->79619 79665 58b922 41 API calls 2 library calls 79612->79665 79614 406667 79615 406696 79614->79615 79616 40666d 79614->79616 79671 4241a0 37 API calls 79615->79671 79670 4241a0 37 API calls 79616->79670 79666 5bb961 79619->79666 79621 406691 79623 404750 56 API calls 79621->79623 79625 4066c0 79623->79625 79624 40668b 79626 5bb961 ctype 29 API calls 79624->79626 79627 406720 79625->79627 79628 4066c6 GetLocalTime 79625->79628 79626->79621 79629 404750 56 API calls 79627->79629 79628->79627 79630 40671b 79628->79630 79631 406730 79629->79631 79630->79627 79632 404750 56 API calls 79631->79632 79633 40677c 79632->79633 79634 40678c 79633->79634 79638 4067ac 79633->79638 79636 406794 79634->79636 79640 406818 79634->79640 79635 4068a2 79678 406210 364 API calls ctype 79635->79678 79672 406210 364 API calls ctype 79636->79672 79638->79635 79638->79640 79641 4067e0 79638->79641 79642 4067da 79638->79642 79639 4068c0 79639->79246 79640->79635 79646 40685b 79640->79646 79647 40680e 79640->79647 79673 405870 124 API calls ctype 79641->79673 79644 5bb961 ctype 29 API calls 79642->79644 79644->79641 79645 4067a4 79645->79246 79675 405870 124 API calls ctype 79646->79675 79647->79640 79648 5bb961 ctype 29 API calls 79647->79648 79648->79646 79650 4067fc 79650->79640 79674 456520 35 API calls ctype 79650->79674 79653 406877 79653->79635 79654 406880 79653->79654 79676 456520 35 API calls ctype 79654->79676 79656 406889 79677 406210 364 API calls ctype 79656->79677 79658 40689a 79658->79246 79679 43cc6d 53 API calls 79659->79679 79661 40478b 79680 404ce0 RegOpenKeyW 79661->79680 79664->79612 79665->79619 79667 43e542 ___free_lc_time 29 API calls 79666->79667 79668 5bb96a 79667->79668 79668->79611 79669->79614 79670->79624 79671->79621 79672->79645 79673->79650 79674->79647 79675->79653 79676->79656 79677->79658 79678->79639 79679->79661 79681 4047a2 79680->79681 79682 404d0c RegQueryValueExW RegCloseKey 79680->79682 79681->79604 79682->79681 79683->79265 79684->79257 79685->79259 79686->79263 79688 472bf3 GetVersionExA 79687->79688 79689 472d2d 79687->79689 79690 472c31 GetVersionExA GetModuleHandleW GetProcAddress GetProcAddress 79688->79690 79691 472d08 79688->79691 79689->79271 79692 472c84 GetSystemInfo 79690->79692 79693 472c80 GetNativeSystemInfo 79690->79693 79703 4730d0 79691->79703 79695 472c8a 79692->79695 79693->79695 79699 472cb6 GetModuleHandleW 79695->79699 79700 472cac 79695->79700 79698 472d1f 79698->79271 79701 472cc2 GetProcAddress 79699->79701 79702 472cd4 79699->79702 79700->79699 79701->79702 79702->79691 79704 472d17 79703->79704 79705 473104 79703->79705 79727 472d40 51 API calls ctype 79704->79727 79705->79704 79769 4746c0 106 API calls 79705->79769 79707 47311c 79728 4747d0 79707->79728 79709 473138 79710 4731f3 79709->79710 79731 4748a0 79709->79731 79776 474750 79710->79776 79713 473150 79714 4748a0 5 API calls 79713->79714 79715 473164 79714->79715 79716 4731d6 79715->79716 79743 474c70 79715->79743 79773 474820 79716->79773 79721 47319a 79722 5bb267 ctype 32 API calls 79721->79722 79723 4731a8 79722->79723 79724 4731c6 79723->79724 79771 58c358 55 API calls _rand 79723->79771 79772 491400 30 API calls ctype 79724->79772 79727->79698 79729 4747e0 RegOpenKeyExA 79728->79729 79730 4747d9 RegCloseKey 79728->79730 79729->79709 79730->79729 79732 4748e1 79731->79732 79733 4748bc RegOpenKeyExA 79731->79733 79734 4748e7 RegQueryValueExA 79732->79734 79735 474958 79732->79735 79733->79732 79736 47494d 79734->79736 79738 474907 79734->79738 79735->79713 79736->79735 79737 474951 RegCloseKey 79736->79737 79737->79735 79738->79736 79739 47491e RegQueryValueExA 79738->79739 79739->79736 79740 474934 79739->79740 79741 47493f 79740->79741 79742 474938 RegCloseKey 79740->79742 79741->79713 79742->79741 79744 474cb6 RegOpenKeyExA 79743->79744 79745 474cdb 79743->79745 79744->79745 79746 474da7 79745->79746 79747 474ce5 RegQueryValueExA 79745->79747 79750 5bb3f0 35 API calls 79746->79750 79768 474d7d 79746->79768 79748 474d07 79747->79748 79767 474d98 79747->79767 79752 5bb938 ctype 29 API calls 79748->79752 79748->79767 79749 474da0 RegCloseKey 79749->79746 79750->79768 79755 474d2c RegQueryValueExA 79752->79755 79753 474dc9 79754 5bb267 ctype 32 API calls 79753->79754 79756 473189 79754->79756 79757 474d82 79755->79757 79758 474d61 79755->79758 79770 490ad0 40 API calls ctype 79756->79770 79759 5bb961 ctype 29 API calls 79757->79759 79779 5bb3f0 79758->79779 79761 474d87 79759->79761 79763 5bb3f0 35 API calls 79761->79763 79762 474d6a 79764 474d77 79762->79764 79765 474d70 RegCloseKey 79762->79765 79763->79767 79766 5bb961 ctype 29 API calls 79764->79766 79765->79764 79766->79768 79767->79746 79767->79749 79784 5bafdc 36 API calls 79768->79784 79769->79707 79770->79721 79771->79724 79772->79716 79774 474830 79773->79774 79775 474829 RegCloseKey 79773->79775 79774->79710 79775->79774 79777 474760 79776->79777 79778 474759 RegCloseKey 79776->79778 79777->79704 79778->79777 79780 5bb3fc 79779->79780 79781 5bb400 lstrlenA 79779->79781 79785 5bb373 79780->79785 79781->79780 79783 5bb410 79783->79762 79784->79753 79788 5bb23e 79785->79788 79787 5bb381 _wctomb_s 79787->79783 79789 5bb24e 79788->79789 79790 5bb262 79789->79790 79794 5bb19e 32 API calls ctype 79789->79794 79790->79787 79792 5bb25a 79795 5bb0d4 79792->79795 79794->79792 79798 5bb0e9 79795->79798 79800 5bb0e0 79795->79800 79796 5bb0f1 79802 43bc49 79796->79802 79798->79796 79799 5bb130 79798->79799 79801 5bb938 ctype 29 API calls 79799->79801 79800->79790 79801->79800 79803 43ed58 __EH_prolog 79802->79803 79804 43bc53 EnterCriticalSection 79803->79804 79805 43bca2 LeaveCriticalSection 79804->79805 79806 43bc71 79804->79806 79805->79800 79807 5ba28f 29 API calls 79806->79807 79808 43bc83 79807->79808 79808->79805 79810 401d38 79809->79810 79811 401cf9 79809->79811 79815 402080 79810->79815 79812 401c70 120 API calls 79811->79812 79813 401d0a 79812->79813 79888 43c62e 79813->79888 79816 4020a5 79815->79816 79817 40220e 79815->79817 79895 474660 79816->79895 79817->79285 79819 4020cb 79901 473240 106 API calls 79819->79901 79821 4020df 79822 4747d0 2 API calls 79821->79822 79823 402101 79822->79823 79824 40213a 79823->79824 79902 474e00 42 API calls 79823->79902 79825 402145 79824->79825 79826 402189 79824->79826 79828 43c6a0 29 API calls 79825->79828 79829 401c70 120 API calls 79826->79829 79843 402155 79828->79843 79831 40218e 79829->79831 79830 402114 79903 5bb3a0 35 API calls 79830->79903 79833 43c6a0 29 API calls 79831->79833 79836 40219b 79833->79836 79834 402123 79837 5bb267 ctype 32 API calls 79834->79837 79835 474750 RegCloseKey 79838 4021e7 79835->79838 79904 473240 106 API calls 79836->79904 79840 402131 79837->79840 79842 5bb267 ctype 32 API calls 79838->79842 79841 474820 RegCloseKey 79840->79841 79841->79824 79844 4021f8 79842->79844 79843->79835 79844->79285 79846 5bb2e9 79845->79846 79852 5bb2fc _wctomb_s 79845->79852 79847 5bb2fe lstrlenA 79846->79847 79848 5bb2f3 79846->79848 79849 5bb30b 79847->79849 79847->79852 79905 5bcb89 66 API calls 79848->79905 79851 5bb0d4 31 API calls 79849->79851 79851->79852 79852->79311 79854 5b96ce __EH_prolog 79853->79854 79906 5b9702 79854->79906 79857 5bb961 ctype 29 API calls 79858 4041c4 79857->79858 79858->79314 79910 5b9724 79859->79910 79861 404201 79863 404219 79861->79863 79927 404330 RegOpenKeyExA 79861->79927 79864 40422c RegQueryValueExA 79863->79864 79865 40431b 79863->79865 79866 40424e 79864->79866 79867 40430c 79864->79867 79865->79279 79866->79867 79868 5bb938 ctype 29 API calls 79866->79868 79867->79865 79930 404360 RegCloseKey 79867->79930 79870 404277 RegQueryValueExA 79868->79870 79871 404306 79870->79871 79872 4042ab 79870->79872 79874 5bb961 ctype 29 API calls 79871->79874 79873 4042e4 79872->79873 79928 5b993a 36 API calls 79872->79928 79875 4042f0 79873->79875 79929 404360 RegCloseKey 79873->79929 79874->79867 79878 5bb961 ctype 29 API calls 79875->79878 79879 4042f9 79878->79879 79879->79279 79880->79311 79881->79311 79882->79316 79883->79316 79884->79293 79885->79297 79886->79292 79887->79308 79889 43c64b 79888->79889 79891 43c63c 79888->79891 79890 441906 _wctomb_s 29 API calls 79889->79890 79892 43c653 79890->79892 79891->79810 79894 441967 LeaveCriticalSection 79892->79894 79894->79891 79896 4746a3 79895->79896 79897 474679 GetModuleHandleA 79895->79897 79899 4746b0 79896->79899 79900 4746a9 RegCloseKey 79896->79900 79897->79896 79898 474692 GetProcAddress 79897->79898 79898->79896 79899->79819 79900->79899 79901->79821 79902->79830 79903->79834 79904->79843 79905->79852 79907 5b970d 79906->79907 79908 5b96ea 79906->79908 79907->79908 79909 5bb267 ctype 32 API calls 79907->79909 79908->79857 79909->79907 79911 5b9734 79910->79911 79912 5b9740 79911->79912 79913 5b9764 79911->79913 79916 5b9702 32 API calls 79912->79916 79914 5b976b 79913->79914 79915 5b978e 79913->79915 79917 5bb938 ctype 29 API calls 79914->79917 79918 5b97be 79915->79918 79919 5b9795 79915->79919 79920 5b974b 79916->79920 79924 5b9753 79917->79924 79922 5bb938 ctype 29 API calls 79918->79922 79923 5b9702 32 API calls 79919->79923 79919->79924 79921 5bb961 ctype 29 API calls 79920->79921 79921->79924 79925 5b9800 _wctomb_s 79922->79925 79923->79924 79924->79861 79926 5bb961 ctype 29 API calls 79925->79926 79926->79924 79927->79863 79928->79872 79929->79875 79930->79865 79932 401078 79931->79932 79933 401039 79931->79933 79937 4013a0 79932->79937 79934 401000 51 API calls 79933->79934 79935 40104a 79934->79935 79936 43c62e 29 API calls 79935->79936 79936->79932 79938 4013c5 79937->79938 79939 40151a 79937->79939 79940 474660 3 API calls 79938->79940 79939->79351 79941 4013eb 79940->79941 79971 473240 106 API calls 79941->79971 79943 4013fa 79944 4747d0 2 API calls 79943->79944 79945 401417 79944->79945 79946 401454 79945->79946 79972 474e00 42 API calls 79945->79972 79948 4014a3 79946->79948 79949 40145f 79946->79949 79950 401000 51 API calls 79948->79950 79952 43c6a0 29 API calls 79949->79952 79953 4014a8 79950->79953 79951 40142e 79973 5bb3a0 35 API calls 79951->79973 79959 40146f 79952->79959 79955 43c6a0 29 API calls 79953->79955 79955->79959 79956 40143d 79957 5bb267 ctype 32 API calls 79956->79957 79960 40144b 79957->79960 79958 474750 RegCloseKey 79961 4014f3 79958->79961 79959->79958 79962 474820 RegCloseKey 79960->79962 79963 5bb267 ctype 32 API calls 79961->79963 79962->79946 79964 401504 79963->79964 79964->79351 79965->79351 79966->79351 79967->79337 79968->79341 79969->79335 79970->79350 79971->79943 79972->79951 79973->79956 79975 415ea3 79974->79975 79976 415ec6 InitializeCriticalSection 79975->79976 80015 416020 79976->80015 79979 417eb0 79980 417ec7 OpenProcess 79979->79980 79981 417ebe 79979->79981 79982 417f06 NtQueryInformationProcess 79980->79982 79983 417ee8 OpenProcess 79980->79983 79981->79360 79985 417f39 79982->79985 79986 417f3d CloseHandle 79982->79986 79983->79982 79984 417ef7 OpenProcess 79983->79984 79984->79982 79987 417f44 79984->79987 79985->79986 79986->79987 79987->79360 79989 417106 79988->79989 79991 417141 79988->79991 79989->79991 80051 416930 79989->80051 79991->79362 79993 43e199 InterlockedIncrement 79992->79993 79998 41d956 79992->79998 79994 43e1bb 79993->79994 79995 43e1ad InterlockedDecrement 79993->79995 79997 445988 14 API calls 79994->79997 79999 43e1fa 79994->79999 79996 441906 _wctomb_s 29 API calls 79995->79996 79996->79994 79997->79994 80003 415f70 79998->80003 80000 43e201 79999->80000 80001 43e20b InterlockedDecrement 79999->80001 80411 441967 LeaveCriticalSection 80000->80411 80001->79998 80004 416200 110 API calls 80003->80004 80005 415fa1 DeleteCriticalSection 80004->80005 80412 43b779 80005->80412 80008 45cf60 32 API calls 80009 415fd3 80008->80009 80010 45cf60 32 API calls 80009->80010 80011 415fe3 80010->80011 80012 416007 80011->80012 80013 5bb961 ctype 29 API calls 80011->80013 80012->79089 80012->79547 80013->80012 80014->79363 80016 4732d0 106 API calls 80015->80016 80017 416029 80016->80017 80018 416037 LoadLibraryA LoadLibraryA LoadLibraryA 80017->80018 80019 41616c LoadLibraryA 80017->80019 80020 416068 80018->80020 80021 4161be 80018->80021 80019->80021 80022 41617e GetProcAddress GetProcAddress GetProcAddress 80019->80022 80020->80021 80026 41607b 8 API calls 80020->80026 80024 4161c5 GetProcAddress GetProcAddress 80021->80024 80025 4161de 80021->80025 80022->80021 80023 4161ac 80022->80023 80023->80021 80024->80025 80027 415f36 80025->80027 80038 416200 80025->80038 80036 473320 106 API calls 80026->80036 80027->79979 80029 4160ed 80031 4160f1 GetProcAddress 80029->80031 80033 4160ff 80029->80033 80031->80033 80032 416140 GetProcAddress GetProcAddress GetProcAddress 80032->80021 80033->80032 80037 473320 106 API calls 80033->80037 80035 41612e 80035->80032 80036->80029 80037->80035 80039 4732d0 106 API calls 80038->80039 80040 416209 80039->80040 80041 416268 80040->80041 80042 41620d 80040->80042 80045 416271 FreeLibrary 80041->80045 80046 41627b 80041->80046 80043 416223 80042->80043 80044 41621d FreeLibrary 80042->80044 80047 416239 FreeLibrary 80043->80047 80048 41623f 80043->80048 80044->80043 80045->80046 80046->80027 80047->80048 80049 416255 80048->80049 80050 41624f FreeLibrary 80048->80050 80049->80027 80050->80049 80052 416962 80051->80052 80077 417028 80051->80077 80053 416998 80052->80053 80052->80077 80140 4245b0 78 API calls ctype 80052->80140 80055 4169c1 80053->80055 80063 416ea6 80053->80063 80136 4162a0 80055->80136 80057 416e73 80071 416fdf 80057->80071 80198 41aad0 52 API calls 80057->80198 80060 416fc3 80060->80071 80199 421160 MultiByteToWideChar 80060->80199 80061 416a06 OpenProcess 80062 416a88 80061->80062 80065 416a1c OpenProcess 80061->80065 80064 416aaf 80062->80064 80142 4245b0 78 API calls ctype 80062->80142 80063->80057 80072 416f76 CloseHandle 80063->80072 80084 416f04 _rand 80063->80084 80093 416f02 80063->80093 80067 416e45 80064->80067 80099 416b2f 80064->80099 80143 473240 106 API calls 80064->80143 80065->80062 80069 416a32 80065->80069 80070 416e50 80067->80070 80194 488370 169 API calls 80067->80194 80069->80062 80141 488000 170 API calls 80069->80141 80070->80057 80195 4245b0 78 API calls ctype 80070->80195 80071->80077 80200 4245b0 78 API calls ctype 80071->80200 80072->80057 80077->79991 80080 416a3f 80086 416a60 OpenProcess 80080->80086 80087 416a4a OpenProcess 80080->80087 80081 416d93 80090 416e3e CloseHandle 80081->80090 80096 4177c0 264 API calls 80081->80096 80082 416b7b K32GetProcessImageFileNameW 80088 416ba5 80082->80088 80103 416cba 80082->80103 80083 416ace 80097 416b06 80083->80097 80083->80099 80144 4245b0 78 API calls ctype 80083->80144 80196 417270 182 API calls 2 library calls 80084->80196 80085 416b6e 80085->80081 80085->80082 80086->80062 80091 416a76 OpenProcess 80086->80091 80087->80062 80087->80086 80147 4177c0 80088->80147 80090->80067 80091->80062 80092 416bb9 80095 416bdf 80092->80095 80179 4245b0 78 API calls ctype 80092->80179 80093->80072 80180 40fa60 80095->80180 80101 416dc1 80096->80101 80097->80099 80106 5bb938 ctype 29 API calls 80097->80106 80098 416f4c 80197 4212b0 MultiByteToWideChar 80098->80197 80099->80085 80146 4245b0 78 API calls ctype 80099->80146 80107 416de7 80101->80107 80192 4245b0 78 API calls ctype 80101->80192 80103->80090 80109 4177c0 264 API calls 80103->80109 80135 416cc1 80103->80135 80110 416b16 80106->80110 80115 40fa60 47 API calls 80107->80115 80108 416bf5 80112 416bfc 80108->80112 80113 416c2f 80108->80113 80114 416d38 80109->80114 80110->80099 80145 408d10 109 API calls 80110->80145 80112->80090 80116 416c11 80112->80116 80118 416c51 80113->80118 80188 4245b0 78 API calls ctype 80113->80188 80117 416d61 GetFileAttributesExW 80114->80117 80191 4245b0 78 API calls ctype 80114->80191 80122 416d7d 80115->80122 80187 4245b0 78 API calls ctype 80116->80187 80117->80090 80117->80122 80125 416cd7 80118->80125 80126 416c6a 80118->80126 80122->80090 80131 416c27 80122->80131 80122->80135 80124 416d5e 80124->80117 80125->80103 80190 4245b0 78 API calls ctype 80125->80190 80127 4177c0 264 API calls 80126->80127 80130 416c7e 80127->80130 80132 416ca4 80130->80132 80189 4245b0 78 API calls ctype 80130->80189 80131->80090 80134 40fa60 47 API calls 80132->80134 80134->80103 80135->80131 80193 4245b0 78 API calls ctype 80135->80193 80137 4162a9 80136->80137 80138 4162b7 OpenProcess 80136->80138 80201 489e90 80137->80201 80138->80061 80138->80062 80140->80053 80141->80080 80142->80064 80143->80083 80144->80097 80145->80099 80146->80085 80148 4177f4 80147->80148 80155 4178c4 80147->80155 80148->80155 80160 4178b9 80148->80160 80272 58c4f3 46 API calls _wctomb_s 80148->80272 80151 417863 80152 4178c9 80151->80152 80156 41786a 80151->80156 80273 58c4f3 46 API calls _wctomb_s 80152->80273 80154 4178d6 80154->80160 80274 58c4f3 46 API calls _wctomb_s 80154->80274 80155->80092 80157 417896 ExpandEnvironmentStringsW 80156->80157 80157->80155 80157->80160 80159 417920 80161 417a32 80159->80161 80163 41792b 80159->80163 80160->80155 80311 417cb0 174 API calls 80160->80311 80307 58c4f3 46 API calls _wctomb_s 80161->80307 80275 417480 80163->80275 80164 417a3f 80164->80160 80173 417a9a 80164->80173 80308 43cc6d 53 API calls 80164->80308 80169 417a19 80171 45cf60 32 API calls 80169->80171 80170 41798a 80177 4179cd 80170->80177 80298 58c4f3 46 API calls _wctomb_s 80170->80298 80171->80160 80172 417aff QueryDosDeviceW 80172->80160 80174 417b1b 80172->80174 80173->80160 80173->80172 80174->80160 80309 58c4f3 46 API calls _wctomb_s 80174->80309 80176 417b32 80176->80160 80310 43cc6d 53 API calls 80176->80310 80299 45cf60 80177->80299 80179->80095 80181 40fa69 80180->80181 80182 40fa6d 80180->80182 80181->80108 80357 40e4e0 80182->80357 80184 40fa73 80185 40fa7a 80184->80185 80186 40fa7e GetLongPathNameW 80184->80186 80185->80108 80186->80108 80187->80131 80188->80118 80189->80132 80190->80103 80191->80124 80192->80107 80193->80131 80194->80070 80195->80057 80196->80098 80197->80093 80198->80060 80199->80071 80200->80077 80207 488a80 80201->80207 80203 489e9e 80204 489ec3 80203->80204 80225 489c90 80203->80225 80204->80138 80206 489eb7 FindCloseChangeNotification 80206->80204 80239 4380d0 80207->80239 80209 488a91 80210 488b3d 80209->80210 80211 488aaf OpenProcess 80209->80211 80212 488aa7 GetCurrentProcess 80209->80212 80210->80203 80213 488add 80211->80213 80214 488ac5 OpenProcess 80211->80214 80212->80213 80216 488b34 80213->80216 80217 488ae8 GetCurrentProcessId 80213->80217 80218 488af2 80213->80218 80214->80213 80215 488ad4 OpenProcess 80214->80215 80215->80213 80216->80203 80217->80218 80220 488b2d CloseHandle 80218->80220 80250 4732e0 106 API calls 80218->80250 80220->80216 80221 488b00 OpenProcessToken 80223 488b29 80221->80223 80224 488b1e GetLastError 80221->80224 80223->80216 80223->80220 80224->80223 80226 4380d0 169 API calls 80225->80226 80227 489c9d 80226->80227 80228 489dae 80227->80228 80251 48e8c0 80227->80251 80228->80206 80230 489cf7 80255 48a400 80230->80255 80232 489d06 80233 489d0d LookupPrivilegeValueW 80232->80233 80234 489d35 AdjustTokenPrivileges 80232->80234 80233->80234 80235 489d1f GetLastError 80233->80235 80236 489d8e GetLastError 80234->80236 80237 489da3 80234->80237 80235->80206 80236->80237 80238 489d9a GetLastError 80236->80238 80237->80206 80238->80237 80240 43844a 80239->80240 80241 4380de 80239->80241 80240->80209 80241->80240 80242 4380ed 80241->80242 80243 4732d0 106 API calls 80242->80243 80244 4380fb 80243->80244 80245 4380ff LoadLibraryW 80244->80245 80246 43810c LoadLibraryA 80244->80246 80247 438117 80245->80247 80246->80247 80248 43811f 61 API calls 80247->80248 80249 43811d 80247->80249 80248->80240 80249->80209 80250->80221 80252 48e8cb 80251->80252 80254 48e8f6 80251->80254 80253 48e8ff WideCharToMultiByte 80252->80253 80252->80254 80253->80230 80254->80230 80256 48a424 80255->80256 80257 48a437 80255->80257 80256->80232 80258 474660 3 API calls 80257->80258 80259 48a441 80258->80259 80270 473240 106 API calls 80259->80270 80261 48a44f 80262 4747d0 2 API calls 80261->80262 80263 48a46c 80262->80263 80264 48a48d 80263->80264 80271 474ab0 RegQueryValueExA RegQueryValueExA 80263->80271 80266 474750 RegCloseKey 80264->80266 80268 48a49e 80266->80268 80267 48a482 80269 474820 RegCloseKey 80267->80269 80268->80232 80269->80264 80270->80261 80271->80267 80272->80151 80273->80154 80274->80159 80312 45d020 80275->80312 80277 4174ad 80278 45d020 33 API calls 80277->80278 80279 4174bc GetTickCount GetLogicalDrives 80278->80279 80280 4174dd 80279->80280 80281 41752e 80280->80281 80348 4245b0 78 API calls ctype 80280->80348 80282 417584 80281->80282 80283 417539 80281->80283 80335 417640 80282->80335 80349 45d270 38 API calls ctype 80283->80349 80286 417594 80290 45d020 33 API calls 80286->80290 80288 417568 80350 45d270 38 API calls ctype 80288->80350 80291 4175c9 80290->80291 80351 45d270 38 API calls ctype 80291->80351 80292 417576 80292->80170 80294 4175d1 80295 45d020 33 API calls 80294->80295 80296 4175e2 80295->80296 80352 45d270 38 API calls ctype 80296->80352 80298->80170 80300 45d000 80299->80300 80304 45cf75 80299->80304 80301 5bb961 ctype 29 API calls 80300->80301 80303 45d00b 80301->80303 80302 45cf8f InterlockedDecrement 80302->80304 80303->80169 80304->80300 80304->80302 80305 43bcd8 EnterCriticalSection LeaveCriticalSection ctype 80304->80305 80306 5bb961 ctype 29 API calls 80304->80306 80305->80304 80306->80304 80307->80164 80308->80173 80309->80176 80310->80160 80311->80155 80313 45d034 80312->80313 80314 45d09a 80313->80314 80324 45d03f 80313->80324 80315 45d0d0 80314->80315 80316 45d0a0 80314->80316 80319 45d1c6 80315->80319 80332 45d0db 80315->80332 80318 5bb938 ctype 29 API calls 80316->80318 80317 45d07d 80320 5bb961 ctype 29 API calls 80317->80320 80321 45d0ad 80318->80321 80326 5bb938 ctype 29 API calls 80319->80326 80323 45d085 80320->80323 80321->80277 80322 45d063 InterlockedDecrement 80322->80324 80323->80277 80324->80317 80324->80322 80353 455dc0 31 API calls ctype 80324->80353 80329 45d20d 80326->80329 80327 45d0e2 80327->80277 80328 45d13e InterlockedDecrement 80328->80332 80329->80329 80330 5bb961 ctype 29 API calls 80329->80330 80331 45d25a 80330->80331 80331->80277 80332->80327 80332->80328 80333 43bcd8 EnterCriticalSection LeaveCriticalSection ctype 80332->80333 80334 5bb961 ctype 29 API calls 80332->80334 80333->80332 80334->80332 80336 45d020 33 API calls 80335->80336 80337 417672 80336->80337 80338 45d020 33 API calls 80337->80338 80339 417683 GetLogicalDrives 80338->80339 80340 41769b 80339->80340 80341 417791 80340->80341 80342 4559d0 69 API calls 80340->80342 80347 456240 32 API calls 80340->80347 80354 45d6b0 38 API calls ctype 80340->80354 80356 45d6b0 38 API calls ctype 80340->80356 80341->80286 80342->80340 80344 4176f0 QueryDosDeviceW 80355 456520 35 API calls ctype 80344->80355 80347->80340 80348->80281 80349->80288 80350->80292 80351->80294 80352->80292 80353->80324 80354->80344 80355->80340 80356->80340 80358 40e4eb 80357->80358 80359 40e4f4 80357->80359 80358->80184 80365 40e5fb 80359->80365 80394 58c4f3 46 API calls _wctomb_s 80359->80394 80361 40e521 80361->80365 80395 58c4f3 46 API calls _wctomb_s 80361->80395 80362 40e67b 80362->80184 80364 40e542 80364->80365 80396 58c4f3 46 API calls _wctomb_s 80364->80396 80365->80362 80404 58c4f3 46 API calls _wctomb_s 80365->80404 80368 40e563 80368->80365 80397 58c4f3 46 API calls _wctomb_s 80368->80397 80369 40e6c8 80369->80362 80405 58c4f3 46 API calls _wctomb_s 80369->80405 80372 40e57b 80372->80365 80398 58c4f3 46 API calls _wctomb_s 80372->80398 80373 40e6e0 80373->80362 80406 58c4f3 46 API calls _wctomb_s 80373->80406 80376 40e6f4 80376->80362 80407 58c4f3 46 API calls _wctomb_s 80376->80407 80377 40e593 80377->80365 80399 58c4f3 46 API calls _wctomb_s 80377->80399 80380 40e708 80380->80362 80408 58c4f3 46 API calls _wctomb_s 80380->80408 80381 40e5ab 80381->80365 80400 58c4f3 46 API calls _wctomb_s 80381->80400 80384 40e5bf 80384->80365 80401 58c4f3 46 API calls _wctomb_s 80384->80401 80385 40e71c 80385->80362 80409 58c4f3 46 API calls _wctomb_s 80385->80409 80388 40e5d3 80388->80365 80402 58c4f3 46 API calls _wctomb_s 80388->80402 80389 40e730 80389->80362 80410 58c4f3 46 API calls _wctomb_s 80389->80410 80391 40e5e7 80391->80365 80403 58c4f3 46 API calls _wctomb_s 80391->80403 80394->80361 80395->80364 80396->80368 80397->80372 80398->80377 80399->80381 80400->80384 80401->80388 80402->80391 80403->80365 80404->80369 80405->80373 80406->80376 80407->80380 80408->80385 80409->80389 80410->80362 80411->79998 80413 415fc3 80412->80413 80414 43b789 CloseHandle 80412->80414 80413->80008 80414->80413 80415->79377 80417 42566a 80416->80417 80418 42567c 80416->80418 80419 425671 Sleep 80417->80419 80418->79380 80419->80418 80419->80419 80420->79373 80421->79379 80422->79385 80423->79391 80424->79389 80425->79396 80426->79387 80427->79392 80428->79395 80429->79398 80430->79401 80432 43cb60 80431->80432 80435 4425a3 __aulldiv __aullrem _rand 80431->80435 80432->79406 80440 442463 44 API calls 80432->80440 80433 442d19 44 API calls 80433->80435 80434 43e62b _wctomb_s 29 API calls 80434->80435 80435->80432 80435->80433 80435->80434 80436 43e542 ___free_lc_time 29 API calls 80435->80436 80437 442d4e 44 API calls 80435->80437 80438 442d7f 44 API calls 80435->80438 80439 449f11 39 API calls 80435->80439 80436->80435 80437->80435 80438->80435 80439->80435 80440->79406 80442 41cfbc 80441->80442 80443 41cfac 80441->80443 80445 41cfcd RegQueryValueExA 80442->80445 80451 41d048 80442->80451 80454 41cf60 RegOpenKeyExA 80443->80454 80446 41d03e 80445->80446 80449 41cfed 80445->80449 80448 41cf90 RegCloseKey 80446->80448 80446->80451 80447 41d011 RegQueryValueExA 80447->80446 80450 41d027 80447->80450 80448->80451 80449->80446 80449->80447 80452 41d031 80450->80452 80455 41cf90 80450->80455 80451->79409 80452->79409 80454->80442 80456 41cf98 RegCloseKey 80455->80456 80457 41cf9f 80455->80457 80456->80457 80457->80452 80459 4214ac 80458->80459 80473 4215b7 80458->80473 80460 474660 3 API calls 80459->80460 80461 4214f1 80460->80461 80462 4747d0 2 API calls 80461->80462 80463 421510 80462->80463 80472 421559 80463->80472 80474 474bf0 31 API calls ctype 80463->80474 80464 474820 RegCloseKey 80466 421565 80464->80466 80467 474750 RegCloseKey 80466->80467 80468 421579 80467->80468 80470 421581 GetProfileStringA 80468->80470 80468->80473 80469 421527 80471 5bb961 ctype 29 API calls 80469->80471 80469->80472 80470->80473 80471->80472 80472->80464 80473->79417 80474->80469 80475->79426 80476->79428 80477->79433 80479 455d1c 80478->80479 80480 455d28 80478->80480 80479->79438 80481 455d40 80480->80481 80482 455d2d 80480->80482 80484 455d48 80481->80484 80485 455d5b 80481->80485 80483 43bc49 31 API calls 80482->80483 80486 455d37 80483->80486 80487 43bc49 31 API calls 80484->80487 80488 455d76 80485->80488 80489 455d63 80485->80489 80486->79438 80487->80486 80490 455d91 80488->80490 80491 455d7e 80488->80491 80492 43bc49 31 API calls 80489->80492 80494 5bb938 ctype 29 API calls 80490->80494 80493 43bc49 31 API calls 80491->80493 80492->80486 80493->80486 80494->80486 80495->79438 80496->79438 80497->79438 80498->79441 80571 455f60 80499->80571 80501 42184b 80502 455f60 36 API calls 80501->80502 80503 421853 80502->80503 80504 455f60 36 API calls 80503->80504 80505 42185b 80504->80505 80506 45d020 33 API calls 80505->80506 80507 421867 80506->80507 80508 4563f0 80507->80508 80509 456407 80508->80509 80510 45650d 80508->80510 80511 456423 80509->80511 80512 45647e 80509->80512 80510->79446 80516 456452 80511->80516 80517 455d10 31 API calls 80511->80517 80513 4564fe InterlockedIncrement 80512->80513 80514 45648b InterlockedDecrement 80512->80514 80513->80510 80515 456496 80514->80515 80533 4564ae 80514->80533 80519 4564b0 80515->80519 80520 4564a3 80515->80520 80516->79446 80518 456438 80517->80518 80518->80516 80521 456440 InterlockedDecrement 80518->80521 80523 4564c5 80519->80523 80524 4564b8 80519->80524 80624 43bcd8 EnterCriticalSection LeaveCriticalSection 80520->80624 80521->80516 80527 45644b 80521->80527 80525 4564cd 80523->80525 80526 4564da 80523->80526 80625 43bcd8 EnterCriticalSection LeaveCriticalSection 80524->80625 80626 43bcd8 EnterCriticalSection LeaveCriticalSection 80525->80626 80531 4564e3 80526->80531 80532 4564ef 80526->80532 80623 455dc0 31 API calls ctype 80527->80623 80627 43bcd8 EnterCriticalSection LeaveCriticalSection 80531->80627 80535 5bb961 ctype 29 API calls 80532->80535 80533->80513 80535->80533 80537 5bb2d5 67 API calls 80536->80537 80538 421919 80537->80538 80539 421933 80538->80539 80540 5bb3f0 35 API calls 80538->80540 80541 421967 80539->80541 80542 42193d 80539->80542 80540->80539 80544 474660 3 API calls 80541->80544 80543 5bb267 ctype 32 API calls 80542->80543 80545 421955 80543->80545 80547 421981 80544->80547 80545->79448 80548 4219ac 80547->80548 80549 4747d0 2 API calls 80547->80549 80551 421b94 80547->80551 80562 43e141 46 API calls 80547->80562 80563 474820 RegCloseKey 80547->80563 80567 45ab70 78 API calls 80547->80567 80569 4563f0 36 API calls 80547->80569 80570 456240 32 API calls 80547->80570 80628 5bb3a0 35 API calls 80547->80628 80631 490ca0 33 API calls ctype 80547->80631 80632 4751d0 126 API calls 80547->80632 80633 421be0 36 API calls 80547->80633 80634 4557c0 36 API calls ctype 80547->80634 80635 45d6b0 38 API calls ctype 80547->80635 80636 476c50 RegOpenKeyExA RegQueryValueExA RegCloseKey 80547->80636 80637 491400 30 API calls ctype 80547->80637 80548->80547 80629 409ed0 110 API calls 80548->80629 80630 5b8b2f 62 API calls 80548->80630 80549->80547 80552 474750 RegCloseKey 80551->80552 80553 421ba2 80552->80553 80556 5bb267 ctype 32 API calls 80553->80556 80557 421bb0 80556->80557 80559 5bb267 ctype 32 API calls 80557->80559 80560 421bc1 80559->80560 80560->79448 80562->80547 80563->80547 80567->80547 80569->80547 80570->80547 80572 455f70 80571->80572 80606 45607d 80571->80606 80573 456020 80572->80573 80574 455f7e 80572->80574 80576 456030 lstrlenW 80573->80576 80577 45602c 80573->80577 80575 455f8f InterlockedDecrement 80574->80575 80574->80606 80578 456014 80575->80578 80579 455f9a 80575->80579 80576->80577 80582 455d10 31 API calls 80577->80582 80577->80606 80578->80501 80580 455fa7 80579->80580 80581 455fbb 80579->80581 80615 43bcd8 EnterCriticalSection LeaveCriticalSection 80580->80615 80584 455fd7 80581->80584 80585 455fc3 80581->80585 80588 456057 80582->80588 80586 455ff3 80584->80586 80587 455fdf 80584->80587 80616 43bcd8 EnterCriticalSection LeaveCriticalSection 80585->80616 80592 455ffc 80586->80592 80593 45600f 80586->80593 80617 43bcd8 EnterCriticalSection LeaveCriticalSection 80587->80617 80594 45605f InterlockedDecrement 80588->80594 80588->80606 80589 455fb2 80589->80501 80618 43bcd8 EnterCriticalSection LeaveCriticalSection 80592->80618 80599 5bb961 ctype 29 API calls 80593->80599 80597 45606a 80594->80597 80594->80606 80595 455fce 80595->80501 80596 455fea 80596->80501 80601 456072 80597->80601 80602 45607f 80597->80602 80599->80578 80600 456006 80600->80501 80619 43bcd8 EnterCriticalSection LeaveCriticalSection 80601->80619 80604 456086 80602->80604 80605 456093 80602->80605 80620 43bcd8 EnterCriticalSection LeaveCriticalSection 80604->80620 80608 4560a7 80605->80608 80609 45609a 80605->80609 80606->80501 80610 4560af 80608->80610 80611 4560bb 80608->80611 80621 43bcd8 EnterCriticalSection LeaveCriticalSection 80609->80621 80622 43bcd8 EnterCriticalSection LeaveCriticalSection 80610->80622 80614 5bb961 ctype 29 API calls 80611->80614 80614->80606 80615->80589 80616->80595 80617->80596 80618->80600 80619->80606 80620->80606 80621->80606 80622->80606 80623->80516 80624->80533 80625->80533 80626->80533 80627->80533 80628->80547 80629->80548 80630->80548 80631->80547 80632->80547 80633->80547 80634->80547 80635->80547 80636->80547 80637->80547 80639 4d533f GetVersionExA 80638->80639 80640 4d5379 80638->80640 80641 4d536f 80639->80641 80640->80641 80642 4d5382 80640->80642 80641->80640 80645 4d4d50 92 API calls ctype 80641->80645 80642->79473 80644 4d5390 80644->79473 80645->80644 80646->79488 80647->79485 80648->79485 80762 5bb327 80649->80762 80651 436a10 80652 436b13 80651->80652 80653 436b09 80651->80653 80655 5bb267 ctype 32 API calls 80652->80655 80820 40ce50 11 API calls 80653->80820 80658 436b27 80655->80658 80657 436b10 80657->80652 80658->79498 80659 5bb2d5 67 API calls 80660 4364cb 80659->80660 80770 5b8c5a 80660->80770 80665 436565 80667 4369e2 80665->80667 80668 43656f 80665->80668 80669 4369fc 80667->80669 80673 5bb961 ctype 29 API calls 80667->80673 80671 5bb327 36 API calls 80668->80671 80674 5bb267 ctype 32 API calls 80669->80674 80670 43652f 80795 4245b0 78 API calls ctype 80670->80795 80672 43657d 80671->80672 80676 5bb327 36 API calls 80672->80676 80673->80669 80674->80651 80710 436593 80676->80710 80677 436551 80678 456240 32 API calls 80677->80678 80678->80665 80679 43670d 80680 43673e 80679->80680 80801 4245b0 78 API calls ctype 80679->80801 80682 436a15 80680->80682 80683 43674b 80680->80683 80686 436a37 80682->80686 80689 5bb961 ctype 29 API calls 80682->80689 80802 46fdc0 35 API calls ctype 80683->80802 80690 5bb267 ctype 32 API calls 80686->80690 80687 436754 80803 470010 170 API calls 80687->80803 80689->80686 80691 436a4b 80690->80691 80693 5bb267 ctype 32 API calls 80691->80693 80695 436a5c 80693->80695 80694 436768 80696 436a72 80694->80696 80697 436770 GetTickCount 80694->80697 80699 436adc 80695->80699 80706 5bb961 ctype 29 API calls 80695->80706 80818 46fee0 32 API calls ctype 80696->80818 80804 5b8b2f 62 API calls 80697->80804 80702 5bb267 ctype 32 API calls 80699->80702 80707 436af0 80702->80707 80703 436a83 80708 436a9d 80703->80708 80711 5bb961 ctype 29 API calls 80703->80711 80704 43678b 80805 40ce50 11 API calls 80704->80805 80706->80699 80707->80651 80819 434490 140 API calls 80707->80819 80712 5bb267 ctype 32 API calls 80708->80712 80710->80679 80714 456240 32 API calls 80710->80714 80796 5b8b2f 62 API calls 80710->80796 80797 435e50 305 API calls 80710->80797 80798 4558c0 37 API calls ctype 80710->80798 80799 4245b0 78 API calls ctype 80710->80799 80800 437490 29 API calls ctype 80710->80800 80711->80708 80717 436ab1 80712->80717 80713 436796 80806 5bb4fc 38 API calls 2 library calls 80713->80806 80714->80710 80719 5bb267 ctype 32 API calls 80717->80719 80719->80695 80720 4367ad 80807 40ee30 88 API calls ctype 80720->80807 80722 4367c3 80723 5bb267 ctype 32 API calls 80722->80723 80724 4367d6 MoveFileExA 80723->80724 80808 487bb0 187 API calls 80724->80808 80726 4367ed SetFileSecurityA 80809 40cd70 248 API calls 80726->80809 80728 436958 80817 46fee0 32 API calls ctype 80728->80817 80730 436969 80732 436988 80730->80732 80734 5bb961 ctype 29 API calls 80730->80734 80731 436801 80731->80728 80748 5bb267 ctype 32 API calls 80731->80748 80749 456240 32 API calls 80731->80749 80750 5b8b2f 62 API calls 80731->80750 80810 487bd0 187 API calls 80731->80810 80811 40ee30 88 API calls ctype 80731->80811 80812 5bafdc 36 API calls 80731->80812 80813 471090 192 API calls ctype 80731->80813 80814 434e80 317 API calls 80731->80814 80815 4558c0 37 API calls ctype 80731->80815 80816 4245b0 78 API calls ctype 80731->80816 80735 5bb267 ctype 32 API calls 80732->80735 80734->80732 80736 43699c 80735->80736 80738 5bb267 ctype 32 API calls 80736->80738 80739 4369ad 80738->80739 80740 4369c7 80739->80740 80744 5bb961 ctype 29 API calls 80739->80744 80742 5bb267 ctype 32 API calls 80740->80742 80746 4369db 80742->80746 80744->80740 80746->80707 80748->80731 80749->80731 80750->80731 80752->79494 80753->79499 80754->79504 80755->79508 80756->79511 80757->79515 80758->79518 80759->79498 80760->79498 80761->79503 80763 5bb33a 80762->80763 80764 436463 80763->80764 80765 5bb0d4 31 API calls 80763->80765 80764->80651 80764->80659 80766 5bb355 80765->80766 80821 5bb85a WideCharToMultiByte 80766->80821 80768 5bb35f 80822 5bb6e6 80768->80822 80771 5bb210 34 API calls 80770->80771 80774 5b8c64 80771->80774 80772 4364e1 80775 436030 80772->80775 80774->80772 80834 43dc7a 29 API calls _wctomb_s 80774->80834 80776 436063 80775->80776 80777 4360b9 80775->80777 80778 5bb938 ctype 29 API calls 80776->80778 80777->80665 80794 4558c0 37 API calls ctype 80777->80794 80779 43606d 80778->80779 80779->80777 80835 468230 80779->80835 80783 4360ac 80784 4360b0 80783->80784 80792 4360e2 _rand 80783->80792 80844 468bb0 148 API calls ctype 80784->80844 80789 5bb267 ctype 32 API calls 80789->80792 80791 5bb938 29 API calls ctype 80791->80792 80792->80777 80792->80789 80792->80791 80793 5bb961 29 API calls ctype 80792->80793 80845 468490 31 API calls 80792->80845 80846 467fb0 39 API calls ctype 80792->80846 80847 4677f0 61 API calls 80792->80847 80848 467590 29 API calls 80792->80848 80793->80792 80794->80670 80795->80677 80796->80710 80797->80710 80798->80710 80799->80710 80800->80710 80801->80680 80802->80687 80803->80694 80804->80704 80805->80713 80806->80720 80807->80722 80808->80726 80809->80731 80810->80731 80811->80731 80812->80731 80813->80731 80814->80731 80815->80731 80816->80731 80817->80730 80818->80703 80819->80651 80820->80657 80821->80768 80827 5bb210 80822->80827 80824 5bb6ee 80825 5bb6ff 80824->80825 80826 5bb6f7 lstrlenA 80824->80826 80825->80764 80826->80825 80828 5bb21c 80827->80828 80832 5bb22b _wctomb_s 80827->80832 80833 5bb19e 32 API calls ctype 80828->80833 80830 5bb221 80831 5bb0d4 31 API calls 80830->80831 80831->80832 80832->80824 80833->80830 80834->80774 80836 46823f 80835->80836 80837 43609d 80836->80837 80849 46bcd0 29 API calls ctype 80836->80849 80837->80792 80843 46b310 29 API calls 80837->80843 80839 46824c 80850 46c070 80839->80850 80841 468269 80841->80837 80872 46d460 108 API calls ctype 80841->80872 80843->80783 80844->80777 80845->80792 80846->80792 80847->80792 80848->80792 80849->80839 80873 46bd00 29 API calls ctype 80850->80873 80852 46c083 80853 46c0cd 80852->80853 80854 46c09d 80852->80854 80855 46c0d5 80853->80855 80856 46c0f0 80853->80856 80874 46c380 80854->80874 80857 46c380 49 API calls 80855->80857 80860 46c112 80856->80860 80861 46c109 80856->80861 80869 46c128 80856->80869 80859 46c0eb 80857->80859 80859->80841 80884 46a930 69 API calls ctype 80860->80884 80883 46c320 37 API calls ctype 80861->80883 80862 46c0b7 80862->80841 80866 46c118 80866->80869 80885 46c320 37 API calls ctype 80866->80885 80867 46c145 80887 46ced0 123 API calls 80867->80887 80886 46c8d0 123 API calls ctype 80869->80886 80870 46c155 80870->80841 80872->80837 80873->80852 80875 5bb938 ctype 29 API calls 80874->80875 80877 46c3a1 80875->80877 80876 46c3e7 80888 5bbb33 80876->80888 80877->80876 80878 5bb3f0 35 API calls 80877->80878 80878->80876 80880 46c429 80880->80862 80883->80860 80884->80866 80885->80869 80886->80867 80887->80870 80902 5bb1f2 80888->80902 80893 5bb3f0 35 API calls 80894 5bbb79 CreateFileA 80893->80894 80896 5bbc19 80894->80896 80897 46c408 80894->80897 80896->80897 80898 5bbc20 GetLastError 80896->80898 80897->80880 80901 43f50c KiUserExceptionDispatcher 80897->80901 80899 5bbc2f 80898->80899 80900 5bb3f0 35 API calls 80899->80900 80900->80897 80901->80880 80903 5bb1fa 80902->80903 80904 5bb20f 80902->80904 80905 5bb3f0 35 API calls 80903->80905 80906 5bc1bb 80904->80906 80905->80904 80921 43ed58 80906->80921 80908 5bc1c5 GetFullPathNameA 80909 5bc1fa 80908->80909 80910 5bc1e8 lstrcpynA 80908->80910 80922 5bc28b 80909->80922 80919 5bbb6b 80910->80919 80913 5bc22b 80915 5bc238 80913->80915 80916 5bc231 CharUpperA 80913->80916 80914 5bc26a 80917 5bb267 ctype 32 API calls 80914->80917 80915->80914 80918 5bc23e FindFirstFileA 80915->80918 80916->80915 80917->80919 80918->80914 80920 5bc253 FindClose lstrcpyA 80918->80920 80919->80893 80920->80914 80921->80908 80923 5bb697 34 API calls 80922->80923 80924 5bc29d _rand 80923->80924 80925 5bc2a9 lstrcpynA 80924->80925 80926 5bc2bc 80925->80926 80927 5bb6e6 35 API calls 80926->80927 80928 5bc211 GetVolumeInformationA 80927->80928 80928->80913 80928->80914 80929->79524 80930->79538 80931->79554 80932->79568 80933->79570 80934->79574 80935->79577 80936->79582 80937 40d7a0 CopyFileA 80938 40d7e2 80937->80938 80939 40d7bf GetLastError 80937->80939 80939->80938 80940 40d7ca 80939->80940 80943 40ce50 11 API calls 80940->80943 80942 40d7d1 CopyFileA 80943->80942 80944 417d40 80945 417d68 80944->80945 80946 43c6a0 29 API calls 80945->80946 80947 417d80 80946->80947 80948 417dc1 80947->80948 80949 417d9e GetDriveTypeA 80947->80949 80949->80948 80950 417dad 80949->80950 80950->80948 80951 417dea WNetGetConnectionA 80950->80951 80959 488000 170 API calls 80950->80959 80953 417e22 80951->80953 80955 417e84 80951->80955 80953->80955 80957 43c6a0 29 API calls 80953->80957 80954 417de3 80954->80951 80956 417e99 80955->80956 80960 488370 169 API calls 80955->80960 80957->80955 80959->80954 80960->80956 80961 43c7d2 80964 441994 80961->80964 80965 4419a5 80964->80965 80966 4419aa 80964->80966 81002 44240d 35 API calls ___CxxLongjmpUnwind@4 80965->81002 80968 4419b3 80966->80968 80970 4419d2 80966->80970 80972 43c7f8 80968->80972 81003 441ce9 35 API calls 2 library calls 80968->81003 80970->80972 80973 441a2f 80970->80973 80974 441a47 80973->80974 80981 441a54 80974->80981 81020 44240d 35 API calls ___CxxLongjmpUnwind@4 80974->81020 80976 441bb7 80977 441bdd 80976->80977 80978 441bbd 80976->80978 81028 442281 35 API calls _rand 80977->81028 81027 441be2 39 API calls _rand 80978->81027 80979 441ad4 80979->80976 80985 441aef 80979->80985 80981->80976 80981->80979 81021 442281 35 API calls _rand 80981->81021 80984 4423c3 80990 4423d4 80984->80990 81029 442281 35 API calls _rand 80984->81029 81004 43c9c6 80985->81004 80986 441a82 80993 441ba2 80986->80993 81022 442281 35 API calls _rand 80986->81022 80991 441a91 81023 442281 35 API calls _rand 80991->81023 80993->80972 80994 441a99 81024 449b75 IsBadReadPtr 80994->81024 80996 441aab 81000 441ab6 80996->81000 81025 44240d 35 API calls ___CxxLongjmpUnwind@4 80996->81025 80997 441b06 80997->80993 81010 441d9d 80997->81010 81000->80976 81000->80979 81026 44240d 35 API calls ___CxxLongjmpUnwind@4 81000->81026 81003->80972 81005 43c9e4 81004->81005 81006 43ca1a 81004->81006 81005->81006 81030 44240d 35 API calls ___CxxLongjmpUnwind@4 81005->81030 81008 43ca36 81006->81008 81031 44240d 35 API calls ___CxxLongjmpUnwind@4 81006->81031 81008->80997 81011 441dbc 81010->81011 81012 441daf 81010->81012 81032 43c783 RtlUnwind 81011->81032 81033 441f5d 38 API calls 2 library calls 81012->81033 81015 441dd3 81034 441ce9 35 API calls 2 library calls 81015->81034 81017 441de4 81035 441e18 35 API calls _rand 81017->81035 81019 441e05 81019->80997 81021->80986 81022->80991 81023->80994 81024->80996 81027->80993 81028->80984 81029->80990 81032->81015 81033->81011 81034->81017 81035->81019 81036 464e90 81037 464ed1 81036->81037 81038 464eac RegOpenKeyExA 81036->81038 81039 464ed7 RegQueryValueExA 81037->81039 81040 464f48 81037->81040 81038->81037 81041 464ef7 81039->81041 81042 464f3d 81039->81042 81041->81042 81044 464f0e RegQueryValueExA 81041->81044 81042->81040 81043 464f41 RegCloseKey 81042->81043 81043->81040 81044->81042 81045 464f24 81044->81045 81046 464f2f 81045->81046 81047 464f28 RegCloseKey 81045->81047 81047->81046 81048 580810 81049 580dc8 81048->81049 81050 58083b GetVersionExA 81048->81050 81051 58097e GetSystemDirectoryA 81050->81051 81052 580871 81050->81052 81053 5809aa 81051->81053 81054 580bdc RegOpenKeyExA 81051->81054 81096 580e10 77 API calls ctype 81052->81096 81059 43c62e 29 API calls 81053->81059 81057 580c1d RegQueryValueExA 81054->81057 81058 580c82 81054->81058 81056 580880 GetModuleHandleW 81060 5808a8 81056->81060 81061 580892 GetProcAddress 81056->81061 81064 580c71 81057->81064 81065 580c63 81057->81065 81062 580c8c 81058->81062 81063 580ca4 81058->81063 81066 5809d9 81059->81066 81060->81051 81078 580916 GetVersionExA 81060->81078 81061->81060 81097 58c358 55 API calls _rand 81062->81097 81069 43cb32 48 API calls 81063->81069 81064->81058 81067 580c75 RegCloseKey 81064->81067 81070 5bb3f0 35 API calls 81065->81070 81066->81054 81072 43c62e 29 API calls 81066->81072 81067->81058 81071 580cd6 GetFileVersionInfoSizeA 81069->81071 81070->81064 81074 5bb938 ctype 29 API calls 81071->81074 81075 580a27 RegOpenKeyExA 81072->81075 81073 580c9c 81076 5bb267 ctype 32 API calls 81073->81076 81077 580cfd 81074->81077 81083 580a58 81075->81083 81084 580b1c 81075->81084 81080 580dbb 81076->81080 81077->81073 81081 580d0a GetFileVersionInfoA 81077->81081 81078->81051 81082 58093f 81078->81082 81080->81049 81085 580dc1 RegCloseKey 81080->81085 81086 580d3c VerQueryValueA 81081->81086 81087 580d5d 81081->81087 81082->81051 81083->81084 81089 580a64 RegQueryValueExA 81083->81089 81084->81054 81085->81049 81086->81087 81088 5bb961 ctype 29 API calls 81087->81088 81088->81073 81090 580a89 81089->81090 81091 580abf RegQueryValueExA 81089->81091 81090->81091 81094 580aa7 RegQueryValueExA 81090->81094 81092 580adb 81091->81092 81093 580b11 RegCloseKey 81091->81093 81092->81093 81095 580af9 RegQueryValueExA 81092->81095 81093->81084 81094->81091 81095->81093 81096->81056 81097->81073 81098 486ce0 81099 486cee 81098->81099 81100 486d75 81098->81100 81101 486d2f 81099->81101 81110 473360 106 API calls 81099->81110 81102 486d31 CreateThread 81101->81102 81102->81100 81104 486d4e 81102->81104 81111 486f30 ResetEvent 81102->81111 81107 486d5c SetThreadPriority 81104->81107 81108 486d64 ResumeThread 81104->81108 81105 486d01 81105->81101 81106 486d05 GetModuleHandleW 81105->81106 81109 486d12 81106->81109 81107->81108 81109->81102 81110->81105 81112 486f46 81111->81112 81113 486f4a SetEvent 81112->81113 81114 486f5b SetEvent 81112->81114 81116 483be0 81117 483be9 SetLastError 81116->81117 81118 483bff 81116->81118 81124 481d60 81118->81124 81120 483c0e GetLongPathNameW SetFileAttributesA RemoveDirectoryA 81121 483c2f GetLastError 81120->81121 81122 483c45 81120->81122 81121->81122 81123 483c3e SetLastError 81121->81123 81123->81122 81125 481d78 81124->81125 81126 481e4e SetLastError 81124->81126 81125->81126 81127 481dac 81125->81127 81126->81120 81130 481e70 FindFirstFileA 81127->81130 81129 481e3c 81129->81120 81131 481eaa 81130->81131 81134 481eb9 81130->81134 81131->81129 81132 482051 FindNextFileA 81133 482065 FindClose 81132->81133 81132->81134 81133->81129 81134->81132 81134->81133 81135 5c7077 81136 5c70ad TlsGetValue 81135->81136 81140 5c7080 81135->81140 81138 5c70c0 81136->81138 81142 5c70e7 81138->81142 81143 5c70d3 81138->81143 81139 5c709a 81146 5c6ccf EnterCriticalSection 81139->81146 81140->81139 81156 5c6c36 KiUserExceptionDispatcher TlsAlloc InitializeCriticalSection ctype 81140->81156 81141 5c70ab 81141->81136 81157 5c6e3e 8 API calls 2 library calls 81143->81157 81151 5c6cee 81146->81151 81147 5c6dbf LeaveCriticalSection 81147->81141 81148 5c6d28 GlobalAlloc 81150 5c6d5d 81148->81150 81149 5c6d3b GlobalHandle GlobalUnlock GlobalReAlloc 81149->81150 81152 5c6d6b GlobalHandle GlobalLock LeaveCriticalSection 81150->81152 81153 5c6d86 GlobalLock 81150->81153 81151->81148 81151->81149 81155 5c6daa _rand 81151->81155 81158 5b948d KiUserExceptionDispatcher ctype 81152->81158 81153->81155 81155->81147 81156->81139 81157->81142 81159 44162a 81168 4416cf 81159->81168 81162 44163b GetCurrentProcess TerminateProcess 81163 44164c 81162->81163 81164 4416b6 81163->81164 81165 4416bd ExitProcess 81163->81165 81171 4416d8 LeaveCriticalSection _wctomb_s 81164->81171 81167 4416bb 81169 441906 _wctomb_s 29 API calls 81168->81169 81170 441630 81169->81170 81170->81162 81170->81163 81171->81167

                      Executed Functions

                      Function 0041E220 Relevance: 133.8, APIs: 32, Strings: 44, Instructions: 754servicefileregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 41e220-41e249 call 43d230 call 4061b0 5 41e24b-41e257 0->5 6 41e27c-41e285 0->6 5->6 7 41e259-41e279 call 43c6a0 5->7 8 41e2a0-41e2c4 6->8 9 41e287-41e29d call 4245b0 6->9 7->6 12 41e2c6-41e2d9 call 43d580 8->12 13 41e2dc-41e300 call 58c5f1 call 43d780 8->13 9->8 12->13 22 41e302-41e319 call 43d780 13->22 23 41e31b call 41d4c0 13->23 22->23 27 41e320-41e327 call 4732d0 22->27 23->27 30 41e329-41e33a OpenSCManagerA 27->30 31 41e398-41e3bb call 464ca0 call 464dc0 27->31 33 41e340-41e355 OpenServiceA 30->33 34 41e3dd-41e3f6 call 403e80 call 404370 call 41d8a0 30->34 46 41e3d4-41e3d8 call 464d40 31->46 47 41e3bd-41e3cf call 467100 call 464e10 31->47 36 41e357-41e378 ControlService 33->36 37 41e38f-41e396 CloseServiceHandle 33->37 54 41e544 call 41d1e0 34->54 55 41e3fc-41e403 call 4734b0 34->55 40 41e381-41e382 DeleteService 36->40 41 41e37a-41e37f 36->41 37->34 44 41e388-41e389 CloseServiceHandle 40->44 41->40 41->44 44->37 46->34 47->46 60 41e549-41e605 GetWindowsDirectoryA call 43cb32 * 2 call 41d060 54->60 55->54 61 41e409-41e410 call 473240 55->61 73 41e60b-41e6c9 call 43cb32 CopyFileA call 43cb32 CopyFileA call 43cb32 call 421680 call 4559d0 call 421870 60->73 74 41ec8a-41ec96 60->74 61->54 67 41e416-41e425 call 41e1e0 61->67 67->54 75 41e42b-41e4ac call 408d10 call 401000 * 2 call 5b8b2f CreateProcessA 67->75 106 41e6d6-41e6e1 call 4217d0 73->106 107 41e6cb-41e6d4 call 421ca0 73->107 92 41e4e2-41e4e4 75->92 93 41e4ae-41e4dd call 4558c0 call 4245b0 call 456240 75->93 97 41e4f3-41e512 call 41e1e0 92->97 98 41e4e6-41e4ed WaitForSingleObject 92->98 93->92 108 41e514-41e52b call 4245b0 97->108 109 41e52e-41e542 call 5bb267 call 408d60 97->109 98->97 119 41e6e7-41e73c call 43cb32 DeleteFileA 106->119 120 41e816-41e835 call 401d50 call 41cb70 call 402230 GetFileAttributesA 106->120 107->106 108->109 109->54 109->60 127 41e758-41e78c call 43cb32 DeleteFileA 119->127 128 41e73e-41e755 call 4245b0 119->128 141 41e837-41e847 call 402230 call 41cb70 120->141 142 41e849-41e85c call 4d52c0 call 402230 call 40eb60 120->142 137 41e7ea-41e7f2 127->137 138 41e78e-41e7e4 call 43cb32 DeleteFileA MoveFileA 127->138 128->127 139 41e810 137->139 140 41e7f4-41e80d call 4245b0 137->140 138->137 139->120 140->139 155 41e85f-41e881 141->155 142->155 158 41e885-41e88a 155->158 159 41e890-41e8e5 call 43cb32 call 401c70 call 43cb32 CopyFileA 158->159 160 41e93b-41e942 158->160 159->160 173 41e8e7-41e936 call 4558c0 * 2 call 4245b0 call 456240 * 2 159->173 160->158 162 41e948-41e9a5 call 43cb32 call 401d50 call 43cb32 CopyFileA 160->162 176 41e9a7-41e9f5 call 4558c0 * 2 call 4245b0 call 456240 * 2 162->176 177 41e9fa-41ea03 call 436b50 162->177 173->160 176->177 183 41ea08-41ea11 177->183 186 41ea21-41ea28 call 4732d0 183->186 187 41ea13-41ea1e call 4347c0 183->187 196 41ec22-41ec3d RegCreateKeyA 186->196 197 41ea2e-41ea95 OpenSCManagerA 186->197 187->186 200 41ec73-41ec84 ShellExecuteA 196->200 201 41ec3f-41ec6d RegSetValueExA RegCloseKey 196->201 197->74 202 41ea9b-41eab0 OpenServiceA 197->202 200->74 201->200 205 41eb02-41eb0d call 41d740 202->205 206 41eab2-41eae5 CreateServiceA 202->206 217 41eb21-41eb5f QueryServiceConfigA 205->217 218 41eb0f-41eb1d ChangeServiceConfig2A 205->218 209 41eaeb-41eafd ChangeServiceConfig2A 206->209 210 41ebcc-41ebd3 206->210 209->210 213 41ebf3-41ebfa call 41d680 210->213 214 41ebd5-41ebf0 call 4245b0 210->214 225 41ec07-41ec1f CloseServiceHandle * 2 213->225 226 41ebfc-41ec01 StartServiceA 213->226 214->213 217->210 221 41eb61-41eb69 217->221 218->217 223 41eba8-41ebc6 ChangeServiceConfigA 221->223 224 41eb6b-41eb74 221->224 223->210 224->223 227 41eb76-41eb89 call 43d25f 224->227 226->225 227->223 230 41eb8b-41eb94 227->230 230->223 231 41eb96-41eba6 call 43d25f 230->231 231->210 231->223
                      APIs
                      • OpenSCManagerA.ADVAPI32(00000000,00000000,20000000), ref: 0041E330
                      • OpenServiceA.ADVAPI32(00000000,Winhlpsvr,20010000), ref: 0041E34B
                      • ControlService.ADVAPI32(00000000,00000001,?), ref: 0041E370
                      • DeleteService.ADVAPI32(00000000), ref: 0041E382
                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0041E389
                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0041E390
                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,%s\wusa.exe %s\%s /quiet /norestart,00000000,00000000,Windows6.1-KB3033929-x64.msu,0002001F), ref: 0041E49D
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041E4ED
                      • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 0041E5A7
                      • CopyFileA.KERNEL32(?,?,00000000), ref: 0041E644
                      • CopyFileA.KERNEL32(?,?,00000000), ref: 0041E67A
                      • DeleteFileA.KERNEL32(?), ref: 0041E732
                      • DeleteFileA.KERNEL32(?), ref: 0041E782
                      • DeleteFileA.KERNEL32(?), ref: 0041E7D0
                      • MoveFileA.KERNEL32(?,?), ref: 0041E7E4
                      • GetFileAttributesA.KERNELBASE(00000000), ref: 0041E82C
                      • CopyFileA.KERNEL32(?,?,00000000), ref: 0041E8DC
                      • CopyFileA.KERNEL32(?,?,00000000), ref: 0041E99D
                      • OpenSCManagerA.ADVAPI32 ref: 0041EA8B
                      • OpenServiceA.ADVAPI32(00000000,.Winhlpsvr,000F01FF), ref: 0041EAA6
                      • CreateServiceA.ADVAPI32(00000000,.Winhlpsvr,Windows Helper Service,000F01FF,00000110,00000002,00000001,?,.OcularServices,00000000,00000000,00000000,00000000), ref: 0041EADB
                      • ChangeServiceConfig2A.ADVAPI32(00000000,00000002,?), ref: 0041EAF3
                      • ChangeServiceConfig2A.ADVAPI32(00000000,00000002,?,000F003F), ref: 0041EB17
                      • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000400,?), ref: 0041EB57
                      • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,?,.OcularServices,00000000,00000000,00000000,00000000,00000000), ref: 0041EBC6
                      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0041EC01
                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0041EC0E
                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0041EC11
                      • RegCreateKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunServices,?), ref: 0041EC35
                      • RegSetValueExA.ADVAPI32(?,.Winhlpsvr,00000000,00000001,?), ref: 0041EC62
                      • RegCloseKey.ADVAPI32(?), ref: 0041EC6D
                      • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0041EC84
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Service$File$Close$CopyDeleteHandleOpen$ChangeCreate$ConfigConfig2Manager$AttributesControlDirectoryExecuteMoveObjectProcessQueryShellSingleStartValueWaitWindows
                      • String ID: "%s"$%s\%s$%s\system32\%s$%s\wusa.exe %s\%s /quiet /norestart$-cleardata$.OcularServices$.Winhlpsvr$/cleardata$3033929$Agt3Tool.exe$D$SXDebug$ServConf$Software\Microsoft\Windows\CurrentVersion\RunServices$Start$Systec$WinMain 1 [%lu]$WinMain 2 [%lu] [%lu] [%lu]$WinMain 3 [%d]$WinMain 3 [i=%d][Src=%s][Dst=%s]$WinMain 4 [%s][%s]$WinMain kb 1 [%d][%s]$WinMain kb 2 [%d]$Windows Helper Service$Windows6.1-KB3033929-x64.msu$Winhlpsvr$`$bakdevctrl64.sys$bakowv3.sys$bakrdgv3.sys$baksdoeav.sys$bakstec3.sys$bakwdgsvr.sys$msowcnv3.dll$oeaviewer.e32$open$remowv3.dll$software\TEC\Ocular.3\ShareData\PrivilegeValue$software\TEC\Ocular.3\ShareData\PrivilegeValue$software\TEC\Ocular.3\agent\debug$songxia_zd$systec$winrdgv3.exe$winwdgsvr.exe
                      • API String ID: 2975757663-1613233489
                      • Opcode ID: cf576d09291aa6224d8363bfd5b2217bdb10a78ffec02d4c2106c1f4297786bc
                      • Instruction ID: 20c3ee106095172daa65fceaefcbd29d97645c5f94a1258a6c4e915fc404eb25
                      • Opcode Fuzzy Hash: cf576d09291aa6224d8363bfd5b2217bdb10a78ffec02d4c2106c1f4297786bc
                      • Instruction Fuzzy Hash: 404219716043417FD320EB61DC46FEB77D9AF94704F40492EF946A2282EB78A548CBA7
                      Function 00416020 Relevance: 71.9, APIs: 21, Strings: 20, Instructions: 164libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 234 416020-416031 call 4732d0 237 416037-416062 LoadLibraryA * 3 234->237 238 41616c-41617c LoadLibraryA 234->238 239 416068-41606d 237->239 240 4161be-4161c3 237->240 238->240 241 41617e-4161aa GetProcAddress * 3 238->241 239->240 242 416073-416075 239->242 244 4161c5-4161db GetProcAddress * 2 240->244 245 4161de-4161e3 240->245 241->240 243 4161ac-4161b1 241->243 242->240 246 41607b-4160ef GetProcAddress * 8 call 473320 242->246 243->240 247 4161b3-4161b5 243->247 244->245 248 4161f3-4161f5 245->248 249 4161e5-4161ea 245->249 255 4160f1-4160fc GetProcAddress 246->255 256 4160ff-416104 246->256 247->240 251 4161b7 247->251 249->248 252 4161ec-4161ee call 416200 249->252 251->240 252->248 255->256 257 416140-41616a GetProcAddress * 3 256->257 258 416106-41610b 256->258 257->240 258->257 259 41610d-416112 258->259 259->257 260 416114-416119 259->260 260->257 261 41611b-416120 260->261 261->257 262 416122-416130 call 473320 261->262 262->257 265 416132-416137 262->265 265->257 266 416139 265->266 266->257
                      APIs
                      • LoadLibraryA.KERNEL32(NtDll.dll,?,00000000,?,00415F36), ref: 00416043
                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0041604D
                      • LoadLibraryA.KERNELBASE(psapi.dll), ref: 00416057
                      • GetProcAddress.KERNEL32(?,NtQuerySystemInformation), ref: 00416081
                      • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 0041608F
                      • GetProcAddress.KERNEL32(?,NtWow64QueryInformationProcess64), ref: 0041609D
                      • GetProcAddress.KERNEL32(?,NtReadVirtualMemory), ref: 004160AB
                      • GetProcAddress.KERNEL32(?,NtWow64ReadVirtualMemory64), ref: 004160B9
                      • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004160C7
                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 004160D5
                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004160E3
                      • GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 004160FA
                      • GetProcAddress.KERNEL32(?,IsWow64Process), ref: 00416149
                      • GetProcAddress.KERNEL32(?,GetProcessImageFileNameW), ref: 00416157
                      • GetProcAddress.KERNEL32(?,QueryFullProcessImageNameW), ref: 00416165
                      • LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,00415F36), ref: 00416171
                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00416184
                      • GetProcAddress.KERNEL32(?,Process32First), ref: 00416192
                      • GetProcAddress.KERNEL32(?,Process32Next), ref: 004161A0
                      • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 004161CB
                      • GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 004161D9
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: CreateToolhelp32Snapshot$EnumProcesses$GetLongPathNameA$GetLongPathNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetProcessImageFileNameW$IsWow64Process$NtDll.dll$NtQueryInformationProcess$NtQuerySystemInformation$NtReadVirtualMemory$NtWow64QueryInformationProcess64$NtWow64ReadVirtualMemory64$Process32First$Process32Next$ProcessIdToSessionId$QueryFullProcessImageNameW$kernel32.dll$psapi.dll
                      • API String ID: 2238633743-2253597223
                      • Opcode ID: 34f745a03ed89a71b1b1f6ebcc478837e72619d7906819bfbcf290aa08bcf520
                      • Instruction ID: 378719f8b63d53d608a02e2895724010d727b21ed436a20acdd22d86044dde71
                      • Opcode Fuzzy Hash: 34f745a03ed89a71b1b1f6ebcc478837e72619d7906819bfbcf290aa08bcf520
                      • Instruction Fuzzy Hash: 5D511770600B10AFD730EF7AD941A57F7F9AF54B40306492EA586D3A51EBB9F8408F58
                      Function 00580810 Relevance: 56.5, APIs: 18, Strings: 14, Instructions: 452registrylibraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 267 580810-580835 268 580dc8-580de2 267->268 269 58083b-58086b GetVersionExA 267->269 270 58097e-5809a4 GetSystemDirectoryA 269->270 271 580871-580890 call 580e10 GetModuleHandleW 269->271 272 5809aa-5809de call 43c62e 270->272 273 580bdc-580c1b RegOpenKeyExA 270->273 279 5808a8 271->279 280 580892-5808a6 GetProcAddress 271->280 287 5809e0 272->287 288 5809e3-5809f2 272->288 276 580c1d-580c61 RegQueryValueExA 273->276 277 580c82-580c8a 273->277 283 580c71-580c73 276->283 284 580c63-580c6c call 5bb3f0 276->284 281 580c8c-580c9f call 58c358 277->281 282 580ca4-580d04 call 43cb32 GetFileVersionInfoSizeA call 5bb938 277->282 289 5808ae-5808b0 279->289 280->289 299 580daa-580dbf call 5bb267 281->299 282->299 311 580d0a-580d3a GetFileVersionInfoA 282->311 283->277 286 580c75-580c7e RegCloseKey 283->286 284->283 286->277 287->288 288->273 293 5809f8-580a2c call 43c62e 288->293 294 5808b2-5808d9 289->294 295 5808e6-58090f 289->295 307 580a2e 293->307 308 580a31-580a52 RegOpenKeyExA 293->308 294->295 310 5808db-5808e2 294->310 295->270 301 580911-580914 295->301 299->268 315 580dc1-580dc2 RegCloseKey 299->315 301->270 306 580916-58093d GetVersionExA 301->306 306->270 312 58093f-580978 306->312 307->308 313 580a58-580a5e 308->313 314 580b1c-580b2b 308->314 310->295 316 580d3c-580d5b VerQueryValueA 311->316 317 580da1-580da7 call 5bb961 311->317 312->270 313->314 319 580a64-580a87 RegQueryValueExA 313->319 320 580b7b-580b8a 314->320 321 580b2d-580b79 314->321 315->268 316->317 322 580d5d-580d72 316->322 317->299 324 580a89-580a90 319->324 325 580abf-580ad9 RegQueryValueExA 319->325 320->273 326 580b8c-580bda 320->326 321->320 327 580d77-580d80 322->327 330 580aa1-580aa5 324->330 331 580a92-580a95 324->331 328 580adb-580ae2 325->328 329 580b11-580b16 RegCloseKey 325->329 326->273 332 580d8f-580d9a 327->332 333 580d82-580d8b 327->333 334 580af3-580af7 328->334 335 580ae4-580ae7 328->335 329->314 330->325 337 580aa7-580abd RegQueryValueExA 330->337 331->330 336 580a97-580a9a 331->336 332->317 333->327 338 580d8d 333->338 334->329 340 580af9-580b0f RegQueryValueExA 334->340 335->334 339 580ae9-580aec 335->339 336->330 341 580a9c-580a9f 336->341 337->325 338->317 339->334 342 580aee-580af1 339->342 340->329 341->325 341->330 342->329 342->334
                      APIs
                      • GetVersionExA.KERNEL32(00000094), ref: 00580867
                      • GetModuleHandleW.KERNEL32(Ntdll.dll,00000000), ref: 00580888
                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00580898
                      • GetVersionExA.KERNEL32(0000009C), ref: 00580939
                      • GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00580989
                      • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00020019,?,?,?,00000000), ref: 00580A4A
                      • RegQueryValueExA.KERNELBASE(?,ProgramFilesDir,00000000,?,00000000,?,?,?,00000000), ref: 00580A7E
                      • RegQueryValueExA.KERNELBASE(?,ProgramFilesDir,00000000,00000000,C:\Program Files (x86),?,?,?,00000000), ref: 00580ABD
                      • RegQueryValueExA.KERNELBASE(?,CommonFilesDir,00000000,?,00000000,?,?,?,00000000), ref: 00580AD5
                      • RegQueryValueExA.KERNELBASE(?,CommonFilesDir,00000000,00000000,00655FB8,?,?,?,00000000), ref: 00580B0F
                      • RegCloseKey.KERNELBASE(?,?,?,00000000), ref: 00580B16
                      • RegOpenKeyExA.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Control\Nls\Language,00000000,00020019,?), ref: 00580C13
                      • RegQueryValueExA.KERNELBASE(?,InstallLanguage,00000000,?,?,?), ref: 00580C5D
                      • RegCloseKey.ADVAPI32(?), ref: 00580C76
                      • GetFileVersionInfoSizeA.VERSION(?,?), ref: 00580CEE
                      • GetFileVersionInfoA.VERSION(?,?,?,00000000,?,?,00000000), ref: 00580D33
                      • VerQueryValueA.VERSION ref: 00580D54
                      • RegCloseKey.ADVAPI32(00000000), ref: 00580DC2
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: QueryValue$Version$Close$FileInfoOpen$AddressDirectoryHandleModuleProcSizeSystem
                      • String ID: %s\user.exe$C:\Program Files (x86)$C:\Windows$C:\Windows\system32$CommonFilesDir$InstallLanguage$Ntdll.dll$ProgramFilesDir$RtlGetVersion$SYSTEM\CurrentControlSet\Control\Nls\Language$Software\Microsoft\Windows\CurrentVersion$\Common Files$\Program Files$\VarFileInfo\Translation
                      • API String ID: 2008991335-2089243060
                      • Opcode ID: 95cae2a999b8811b80207fc20c1ece5d9930e98455ed5d2f187f45eb917b4486
                      • Instruction ID: 1aae3ea603d2388d36c28c57132b497a870691e0cde1882abb45df23065bb8b4
                      • Opcode Fuzzy Hash: 95cae2a999b8811b80207fc20c1ece5d9930e98455ed5d2f187f45eb917b4486
                      • Instruction Fuzzy Hash: 59E121316047019BD728EF28C859A6FBBD6FBD4711F045A2EF886A32D0DBB09D08C752
                      Function 005BC1BB Relevance: 12.1, APIs: 8, Instructions: 72stringfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 717 5bc1bb-5bc1e6 call 43ed58 GetFullPathNameA 720 5bc1fa-5bc229 call 5bc28b GetVolumeInformationA 717->720 721 5bc1e8-5bc1f5 lstrcpynA 717->721 725 5bc22b-5bc22f 720->725 726 5bc26d-5bc279 call 5bb267 720->726 723 5bc27b-5bc288 721->723 727 5bc238-5bc23c 725->727 728 5bc231-5bc232 CharUpperA 725->728 726->723 730 5bc26a-5bc26c 727->730 731 5bc23e-5bc251 FindFirstFileA 727->731 728->727 730->726 731->730 733 5bc253-5bc264 FindClose lstrcpyA 731->733 733->730
                      APIs
                      • __EH_prolog.LIBCMT ref: 005BC1C0
                      • GetFullPathNameA.KERNEL32(?,00000104,?,?,00000000), ref: 005BC1DE
                      • lstrcpynA.KERNEL32(?,?,00000104), ref: 005BC1ED
                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005BC221
                      • CharUpperA.USER32(?), ref: 005BC232
                      • FindFirstFileA.KERNEL32(?,?), ref: 005BC248
                      • FindClose.KERNEL32(00000000), ref: 005BC254
                      • lstrcpyA.KERNEL32(?,?), ref: 005BC264
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
                      • String ID:
                      • API String ID: 304730633-0
                      • Opcode ID: 9b5b45f1d34f810b2d0cf3a11dfde1fbe7332cd042975832be8dd59f8809b40d
                      • Instruction ID: 1e85f6a67f89f2fd16b482ee945f4a51cfa5e4ae3895f319cbf453c690616af6
                      • Opcode Fuzzy Hash: 9b5b45f1d34f810b2d0cf3a11dfde1fbe7332cd042975832be8dd59f8809b40d
                      • Instruction Fuzzy Hash: DD218C71501019ABCB209FA5DC48AEFBFBCFF15764F008126F916E60A0D7309A49DBA0
                      Function 00489C90 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 781 489c90-489ca4 call 4380d0 784 489caa-489cb1 781->784 785 489dae-489dc2 781->785 784->785 786 489cb7-489d0b call 48e8c0 call 48a400 784->786 791 489d0d-489d1d LookupPrivilegeValueW 786->791 792 489d35-489d8c AdjustTokenPrivileges 786->792 791->792 793 489d1f-489d34 GetLastError 791->793 794 489d8e-489d98 GetLastError 792->794 795 489da3-489dad 792->795 794->795 796 489d9a-489da1 GetLastError 794->796 796->795
                      APIs
                        • Part of subcall function 004380D0: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00488375,00417E99), ref: 00438104
                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00489D15
                      • GetLastError.KERNEL32 ref: 00489D1F
                      • AdjustTokenPrivileges.KERNELBASE ref: 00489D82
                      • GetLastError.KERNEL32 ref: 00489D94
                      • GetLastError.KERNEL32 ref: 00489D9A
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$AdjustLibraryLoadLookupPrivilegePrivilegesTokenValue
                      • String ID:
                      • API String ID: 558403942-0
                      • Opcode ID: b589c138575e9ab5adb2ab28b0fc7a942fa55bc36eead1eb50e838c320b87eb1
                      • Instruction ID: e35e573340034d42ed5f543bb9f0b66fc48fe44e624ac1c71305b4ab1be6f534
                      • Opcode Fuzzy Hash: b589c138575e9ab5adb2ab28b0fc7a942fa55bc36eead1eb50e838c320b87eb1
                      • Instruction Fuzzy Hash: 453180716083015BE314EF29DC01BAFB7E5BBC8754F04092EF58897390E779DA048B96
                      Function 00417EB0 Relevance: 7.6, APIs: 5, Instructions: 63nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 827 417eb0-417ebc 828 417ec7-417ee6 OpenProcess 827->828 829 417ebe-417ec4 827->829 830 417f06-417f37 NtQueryInformationProcess 828->830 831 417ee8-417ef5 OpenProcess 828->831 833 417f39 830->833 834 417f3d-417f3e CloseHandle 830->834 831->830 832 417ef7-417f04 OpenProcess 831->832 832->830 835 417f44-417f4d 832->835 833->834 834->835
                      APIs
                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,00000000), ref: 00417EE0
                      • OpenProcess.KERNEL32(02000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000,00000000), ref: 00417EEF
                      • OpenProcess.KERNEL32(00001000,00000000,?,?,00000000,?,?,?,00000000,?,00000000,00000000), ref: 00417EFE
                      • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 00417F32
                      • CloseHandle.KERNEL32(00000000), ref: 00417F3E
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Process$Open$CloseHandleInformationQuery
                      • String ID:
                      • API String ID: 3748271266-0
                      • Opcode ID: afab705bc1f4f57e06b366bba438504803ec4af48c4acdffdb72b595e254aad7
                      • Instruction ID: 0e2c29980bd1c5201fca36306b7cecd707724f955a7e6963372f443cc6f965eb
                      • Opcode Fuzzy Hash: afab705bc1f4f57e06b366bba438504803ec4af48c4acdffdb72b595e254aad7
                      • Instruction Fuzzy Hash: 6E11BFB19093016BD3209E298C00FABBBE8EF98760F00066AF954D7380E670C94587AA
                      Function 00481E70 Relevance: 4.7, APIs: 3, Instructions: 163fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNELBASE(?,?,?,?,00000000), ref: 00481E9B
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: FileFindFirst
                      • String ID:
                      • API String ID: 1974802433-0
                      • Opcode ID: 9ae053497b8fef658bad69359bc494c55e7a13e2a297ebddee9efa1413e40551
                      • Instruction ID: 5ac352829b743618c75a67a9e9193b27d39feab19ec29d9d377af92bf37a8a9b
                      • Opcode Fuzzy Hash: 9ae053497b8fef658bad69359bc494c55e7a13e2a297ebddee9efa1413e40551
                      • Instruction Fuzzy Hash: 7E51BF701083809FD320DE68C844BABB7E5AF89310F448E1EF9D997381D779A909C756
                      Function 00416930 Relevance: 47.8, APIs: 10, Strings: 17, Instructions: 505COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 343 416930-41695c 344 417031 343->344 345 416962-41696b 343->345 346 417033-41704b 344->346 345->344 347 416971-416978 345->347 348 41699b-4169bb 347->348 349 41697a-416998 call 4245b0 347->349 351 4169c1-416a00 call 4162a0 OpenProcess 348->351 352 416ea6-416ea9 348->352 349->348 361 416a06-416a1a OpenProcess 351->361 362 416a88-416a8e 351->362 355 416f8a-416fc5 call 41aad0 352->355 356 416eaf-416eba 352->356 367 416ff3-416ff9 355->367 368 416fc7-416fea call 421160 355->368 363 416ec0-416ee0 356->363 364 416f83 356->364 361->362 369 416a1c-416a30 OpenProcess 361->369 365 416a90-416aaf call 4245b0 362->365 366 416ab2-416ab4 362->366 387 416f76-416f77 CloseHandle 363->387 388 416ee6-416ef3 363->388 364->355 365->366 371 416e45-416e49 366->371 372 416aba-416ac3 366->372 375 417001-417007 367->375 376 416ffb-416ffd 367->376 368->367 369->362 374 416a32-416a37 369->374 379 416e50-416e56 371->379 380 416e4b call 488370 371->380 381 416ac9-416ad0 call 473240 372->381 382 416b4a-416b50 372->382 374->362 384 416a39-416a48 call 488000 374->384 385 417009-417028 call 4245b0 375->385 386 41702b-41702f 375->386 376->375 390 416e76-416e7a 379->390 391 416e58-416e73 call 4245b0 379->391 380->379 381->382 410 416ad2-416ae1 381->410 393 416b71-416b75 382->393 394 416b52-416b6e call 4245b0 382->394 414 416a60-416a74 OpenProcess 384->414 415 416a4a-416a5e OpenProcess 384->415 385->386 386->346 398 416f7d-416f81 387->398 399 416ef5-416f00 388->399 400 416f04-416f6e call 43d580 call 417270 call 4212b0 388->400 390->364 403 416e80-416ea1 call 43cc30 390->403 391->390 406 416d93-416da7 393->406 407 416b7b-416b9f K32GetProcessImageFileNameW 393->407 394->393 398->364 408 416fec 398->408 399->388 428 416f02 399->428 400->387 403->398 421 416e3e-416e3f CloseHandle 406->421 427 416dad-416dc7 call 4177c0 406->427 416 416ba5-416bbf call 4177c0 407->416 417 416cf8-416cfd 407->417 408->367 435 416ae3-416b06 call 4245b0 410->435 436 416b09-416b0d 410->436 414->362 425 416a76-416a86 OpenProcess 414->425 415->362 415->414 431 416bc1-416bdf call 4245b0 416->431 432 416be2-416bfa call 40fa60 416->432 420 416d03-416d1e 417->420 417->421 420->421 443 416d24-416d3e call 4177c0 420->443 421->371 425->362 448 416dc9-416de7 call 4245b0 427->448 449 416dea-416e13 call 40fa60 427->449 428->387 431->432 456 416bfc-416c0b 432->456 457 416c2f-416c35 432->457 435->436 438 416b42 436->438 439 416b0f-416b26 call 5bb938 436->439 438->382 460 416b31 439->460 461 416b28-416b2f call 408d10 439->461 464 416d61-416d77 GetFileAttributesExW 443->464 465 416d40-416d5e call 4245b0 443->465 448->449 449->421 473 416e15-416e1b 449->473 456->421 463 416c11-416c2a call 4245b0 456->463 467 416c54-416c68 457->467 468 416c37-416c51 call 4245b0 457->468 470 416b33-416b3e 460->470 461->470 463->421 464->421 474 416d7d-416d83 464->474 465->464 484 416cd7-416cdd 467->484 485 416c6a-416c84 call 4177c0 467->485 468->467 470->438 480 416e36 473->480 481 416e1d 473->481 474->480 482 416d89-416d8e 474->482 480->421 486 416e22-416e33 call 4245b0 481->486 482->486 484->417 489 416cdf-416cf5 call 4245b0 484->489 494 416ca7-416cbf call 40fa60 485->494 495 416c86-416ca4 call 4245b0 485->495 486->480 489->417 494->417 500 416cc1-416cc7 494->500 495->494 500->480 501 416ccd-416cd2 500->501 501->486
                      APIs
                      • OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?), ref: 004169FA
                      • OpenProcess.KERNEL32(02000000,00000000,?), ref: 00416A14
                      • OpenProcess.KERNEL32(00001000,00000000,?), ref: 00416A2A
                      • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00416A58
                      • OpenProcess.KERNEL32(02000000,00000000,?), ref: 00416A6E
                      • OpenProcess.KERNEL32(00001000,00000000,?), ref: 00416A84
                      • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000207), ref: 00416B9A
                      • GetFileAttributesExW.KERNEL32(?,00000000,?,?,00000208), ref: 00416D6F
                      • CloseHandle.KERNEL32(00000000), ref: 00416E3F
                      • CloseHandle.KERNEL32(00000000), ref: 00416F77
                        • Part of subcall function 004177C0: ExpandEnvironmentStringsW.KERNEL32(?,?,00000209,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004178AB
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Process$Open$CloseFileHandle$AttributesEnvironmentExpandImageNameStrings
                      • String ID: CProcMgr::GetProcessPathW 1 [%d] [%08x]$CProcMgr::GetProcessPathW 2 [%d] [%08x]$CProcMgr::GetProcessPathW 2 [%d][%d]$CProcMgr::GetProcessPathW 3 [%s]$CProcMgr::GetProcessPathW 4-1$CProcMgr::GetProcessPathW 4-2 [%08x]$CProcMgr::GetProcessPathW 4-3-1 [%s]$CProcMgr::GetProcessPathW 4-3-2$CProcMgr::GetProcessPathW 5 [%s]$CProcMgr::GetProcessPathW 5-2$CProcMgr::GetProcessPathW 6$CProcMgr::GetProcessPathW 7 [%s]$CProcMgr::GetProcessPathW 8$CProcMgr::GetProcessPathW 9 [%d]$CProcMgr::GetProcessPathW [%d]$CProcMgr::GetProcessPathW [=====] [%d] [%s]$ProcMgr
                      • API String ID: 2651823227-595521225
                      • Opcode ID: ac17e573b6cd8a6706a07532a3398b93f5cecad2dd8fa1ae6ed7907e9775f9af
                      • Instruction ID: aeffa8c4773efa19938bb8e0cdac4695efe060530a286fe0ef5bfffce8c04e44
                      • Opcode Fuzzy Hash: ac17e573b6cd8a6706a07532a3398b93f5cecad2dd8fa1ae6ed7907e9775f9af
                      • Instruction Fuzzy Hash: 7602F671648352ABE730DF64DC85FEB73E5EB84704F010A2EF54952281E778E9848B57
                      Function 00472BE0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 91libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 502 472be0-472bed 503 472bf3-472c2b GetVersionExA 502->503 504 472d2d-472d38 502->504 505 472c31-472c7e GetVersionExA GetModuleHandleW GetProcAddress * 2 503->505 506 472d08-472d12 call 4730d0 503->506 507 472c84 GetSystemInfo 505->507 508 472c80-472c82 GetNativeSystemInfo 505->508 511 472d17-472d2c call 472d40 506->511 510 472c8a-472c92 507->510 508->510 513 472c94-472c97 510->513 514 472ca2-472caa 510->514 516 472cb6-472cc0 GetModuleHandleW 513->516 517 472c99-472ca0 513->517 514->516 518 472cac 514->518 519 472cd4 516->519 520 472cc2-472cd2 GetProcAddress 516->520 517->514 517->516 518->516 521 472cda-472cdc 519->521 520->521 521->506 522 472cde-472cfc 521->522 522->506 524 472cfe-472d02 522->524 524->506
                      APIs
                      • GetVersionExA.KERNEL32(00653620,00000000,006501B0), ref: 00472C14
                      • GetVersionExA.KERNEL32(006536B8,00000000), ref: 00472C41
                      • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00472C4E
                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00472C5E
                      • GetProcAddress.KERNEL32(00000000,GetProductInfo), ref: 00472C6B
                      • GetNativeSystemInfo.KERNELBASE(00653758), ref: 00472C80
                      • GetSystemInfo.KERNEL32(00653758), ref: 00472C84
                      • GetModuleHandleW.KERNEL32(Ntdll.dll), ref: 00472CBB
                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00472CC8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressProc$HandleInfoModuleSystemVersion$Native
                      • String ID: GetNativeSystemInfo$GetProductInfo$Ntdll.dll$RtlGetVersion$kernel32.dll
                      • API String ID: 2278658022-3554532166
                      • Opcode ID: bc6a59f1343067ba2236597a942fd092466e6284252ca99c1820908d65e132d2
                      • Instruction ID: 8da9563d97e336ed96add6545adffbac89996c33dbdbb1d3f888e3f56080b0e3
                      • Opcode Fuzzy Hash: bc6a59f1343067ba2236597a942fd092466e6284252ca99c1820908d65e132d2
                      • Instruction Fuzzy Hash: 1231E4B0A00321BFE721DF64EE4569A77E6EB58B42F11902FF404D3360D7F89A448B59
                      Function 00436430 Relevance: 18.0, APIs: 3, Strings: 7, Instructions: 484COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 525 436430-43648a call 5bb327 528 436b00-436b07 525->528 529 436490-436499 525->529 530 436b13-436b43 call 5bb267 528->530 531 436b09-436b10 call 40ce50 528->531 529->528 532 43649f-4364ab 529->532 531->530 532->528 535 4364b1-4364bb 532->535 535->528 536 4364c1-436510 call 5bb2d5 call 5b8c5a call 436030 535->536 544 436515-43651f 536->544 545 436521-436560 call 4558c0 call 4245b0 call 456240 544->545 546 436565-436569 544->546 545->546 548 4369e2-4369f4 546->548 549 43656f-4365b9 call 5bb327 * 2 546->549 550 4369f6-4369fc call 5bb961 548->550 551 4369ff-436a10 call 5bb267 548->551 564 43671b-436721 549->564 565 4365bf-4365c8 549->565 550->551 551->528 567 436723-43673e call 4245b0 564->567 568 436741-436745 564->568 566 4365cc-436637 call 5b8b2f call 435e50 565->566 588 436639-436683 call 4558c0 call 4245b0 call 456240 566->588 589 436688-43668a 566->589 567->568 570 436a15-436a2f 568->570 571 43674b-43676a call 46fdc0 call 470010 568->571 576 436a31-436a37 call 5bb961 570->576 577 436a3a-436a6e call 5bb267 * 2 570->577 593 436a72-436a95 call 46fee0 571->593 594 436770-436812 GetTickCount call 5b8b2f call 40ce50 call 5bb4fc call 40ee30 call 5bb267 MoveFileExA call 487bb0 SetFileSecurityA call 40cd70 571->594 576->577 598 436a70 577->598 599 436adf-436aeb call 5bb267 577->599 588->589 590 436694-43669a 589->590 591 43668c-436692 589->591 596 43669c-4366a1 590->596 597 4366a3-4366a5 590->597 591->590 591->596 615 436aa0-436ad4 call 5bb267 * 2 593->615 616 436a97-436a9d call 5bb961 593->616 646 436958-436980 call 46fee0 594->646 647 436818-436859 call 5b8b2f call 487bd0 call 40ee30 594->647 604 4366ab-4366b1 596->604 606 4366f2-436707 597->606 607 4366a7 597->607 605 436ad6-436adc call 5bb961 598->605 612 436af0-436af4 599->612 613 4366b3 604->613 614 4366bb-4366bd 604->614 605->599 618 4365ca 606->618 619 43670d-436716 606->619 607->604 612->528 622 436af6-436afd call 434490 612->622 613->614 614->606 624 4366bf-4366f0 call 437490 614->624 615->599 615->605 616->615 618->566 619->564 622->528 624->606 652 436982-436988 call 5bb961 646->652 653 43698b-4369bf call 5bb267 * 2 646->653 664 4368e5-4368ec 647->664 665 43685f-43689d call 5bafdc call 471090 call 5bb267 647->665 652->653 668 4369c1-4369c7 call 5bb961 653->668 669 4369ca-4369dd call 5bb267 653->669 666 4368ee-436938 call 4558c0 call 4245b0 call 456240 664->666 667 43693d-436952 664->667 665->664 685 43689f-4368e1 call 5b8b2f call 434e80 665->685 666->667 667->646 667->647 668->669 669->612 685->664
                      APIs
                        • Part of subcall function 004558C0: lstrlenA.KERNEL32(?,0065084C,006501B0,00000000,00406413), ref: 004558D9
                        • Part of subcall function 004558C0: InterlockedDecrement.KERNEL32(0065013C), ref: 0045593D
                        • Part of subcall function 004558C0: lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,006501B0,00000000,00650230,TICKCOUNT,00650230), ref: 004559A3
                        • Part of subcall function 00456240: InterlockedDecrement.KERNEL32(-000000F4), ref: 00456256
                      • GetTickCount.KERNEL32 ref: 00436770
                      • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004367DE
                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 004367F1
                        • Part of subcall function 005BAFDC: InterlockedIncrement.KERNEL32(?), ref: 005BAFF1
                        • Part of subcall function 005BB267: InterlockedDecrement.KERNEL32(-000000F4), ref: 005BB27B
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$Decrement$Filelstrlen$CountIncrementMoveSecurityTick
                      • String ID: %s\%s$%s\newtemp_%d$CUpAgentFileMgr::InstallZIPDatFile 1 [%s] [%d]$CUpAgentFileMgr::InstallZIPDatFile 2 [i=%d] [%s] [%d] [%d] [%d]$CUpAgentFileMgr::InstallZIPDatFile 3 [%d]$CUpAgentFileMgr::InstallZIPDatFile 4 [%s] [%d] [%d]$Update
                      • API String ID: 2047053997-2816137390
                      • Opcode ID: ee298e1b08438fb696a2316f71b649a50c61d031a95e36498a9237feb57a8087
                      • Instruction ID: c90e3bd9cfd044c2e0ccf90e282f5ee78993e438d137b62a05107e0d063b1a45
                      • Opcode Fuzzy Hash: ee298e1b08438fb696a2316f71b649a50c61d031a95e36498a9237feb57a8087
                      • Instruction Fuzzy Hash: E8126E70608381AFD320DB54C855BABBBE4BFD9704F44491DF98997291D7B4E908CB53
                      Function 005C6CCF Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 690 5c6ccf-5c6cec EnterCriticalSection 691 5c6cee-5c6cf5 690->691 692 5c6cfb-5c6d00 690->692 691->692 693 5c6db4-5c6db7 691->693 694 5c6d1d-5c6d26 692->694 695 5c6d02-5c6d05 692->695 696 5c6dbf-5c6de0 LeaveCriticalSection 693->696 697 5c6db9-5c6dbc 693->697 699 5c6d28-5c6d39 GlobalAlloc 694->699 700 5c6d3b-5c6d57 GlobalHandle GlobalUnlock GlobalReAlloc 694->700 698 5c6d08-5c6d0b 695->698 697->696 702 5c6d0d-5c6d13 698->702 703 5c6d15-5c6d17 698->703 701 5c6d5d-5c6d69 699->701 700->701 704 5c6d6b-5c6d81 GlobalHandle GlobalLock LeaveCriticalSection call 5b948d 701->704 705 5c6d86-5c6db3 GlobalLock call 43ee80 701->705 702->698 702->703 703->693 703->694 704->705 705->693
                      APIs
                      • EnterCriticalSection.KERNEL32(006514C4,006514E0,?,00000000,006514A8,006514A8,005C70AB,0065084C,?,005C755D,005C6871,00455A0E,0065084C,006501B0,00650230,00000000), ref: 005C6CDE
                      • GlobalAlloc.KERNELBASE(00002002,00000000,?), ref: 005C6D33
                      • GlobalHandle.KERNEL32(008F51E0), ref: 005C6D3C
                      • GlobalUnlock.KERNEL32(00000000), ref: 005C6D45
                      • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 005C6D57
                      • GlobalHandle.KERNEL32(008F51E0), ref: 005C6D6E
                      • GlobalLock.KERNEL32(00000000), ref: 005C6D75
                      • LeaveCriticalSection.KERNEL32(?), ref: 005C6D7B
                      • GlobalLock.KERNEL32(?), ref: 005C6D8A
                      • LeaveCriticalSection.KERNEL32(?), ref: 005C6DD3
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                      • String ID:
                      • API String ID: 2667261700-0
                      • Opcode ID: ba816af461d695557d0601a697ec74b5188e4f59e4cec57957ff8b85ce58d256
                      • Instruction ID: fe831d7000c9a0d8fa01128d190f92ceae0d9ad9ef4964c5b2830e6d0d586388
                      • Opcode Fuzzy Hash: ba816af461d695557d0601a697ec74b5188e4f59e4cec57957ff8b85ce58d256
                      • Instruction Fuzzy Hash: 6B3181753017059FDB209F68DC89E6ABBE9FF94305B004A2EE993C3661E771E9498B10
                      Function 00483BE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 36COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • SetLastError.KERNEL32(00000057,?,004293E6,?,?,00624470,?,00000000), ref: 00483BF5
                      • GetLongPathNameW.KERNELBASE(pDb,?,?,00624470,?,00000000), ref: 00483C12
                      • SetFileAttributesA.KERNELBASE(pDb,00000000), ref: 00483C1C
                      • RemoveDirectoryA.KERNELBASE(pDb), ref: 00483C23
                      • GetLastError.KERNEL32 ref: 00483C2F
                      • SetLastError.KERNEL32(00000000), ref: 00483C3F
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$AttributesDirectoryFileLongNamePathRemove
                      • String ID: pDb
                      • API String ID: 4089116163-2618899255
                      • Opcode ID: 4d1efcc93927ed1d42f90fd49e6209199614e211e6daf2a25c10ec9825c9349b
                      • Instruction ID: bb5bd79b82fc4cb3daf3b52ef75dd32592703c32f29669eef1f755126708d758
                      • Opcode Fuzzy Hash: 4d1efcc93927ed1d42f90fd49e6209199614e211e6daf2a25c10ec9825c9349b
                      • Instruction Fuzzy Hash: 8AF03072502720ABD7327F24BC0DB4E3798DB15F53F054817F802E6250DB649A45AB99
                      Function 0041CB70 Relevance: 9.0, APIs: 6, Instructions: 43fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 734 41cb70-41cb89 GetFileAttributesA 735 41cba0-41cbaf call 4d5330 CreateDirectoryA 734->735 736 41cb8b-41cb8d 734->736 745 41cbb1-41cbb4 735->745 746 41cbb5-41cbb6 GetFileAttributesA 735->746 737 41cbb8-41cbbe 736->737 738 41cb8f-41cb91 736->738 743 41cbc0-41cbc2 SetFileAttributesA 737->743 744 41cbc4-41cbcc 737->744 740 41cb93-41cb97 SetFileAttributesA 738->740 741 41cb99-41cb9a DeleteFileA 738->741 740->741 741->735 743->744 746->737
                      APIs
                      • GetFileAttributesA.KERNELBASE(?,?,00000000,6CBB7310,0041E823,00000000,00000006,songxia_zd,?,00000000,00000001), ref: 0041CB7E
                      • SetFileAttributesA.KERNEL32(?,00000000,?,00000000,00000001), ref: 0041CB97
                      • DeleteFileA.KERNEL32(?,?,00000000,00000001), ref: 0041CB9A
                      • CreateDirectoryA.KERNELBASE(?,00000000,?,00000000,00000001), ref: 0041CBA7
                      • GetFileAttributesA.KERNELBASE(?,?,00000000,00000001), ref: 0041CBB6
                      • SetFileAttributesA.KERNELBASE(?,?,?,00000000,00000001), ref: 0041CBC2
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: File$Attributes$CreateDeleteDirectory
                      • String ID:
                      • API String ID: 481971240-0
                      • Opcode ID: ce147a77ba40217a2ea0b6343e1bbe4a7fd1e66e8e72a994758a2819ff99efeb
                      • Instruction ID: 08c943fb3984fea11a96da49d4769f175d0a90b7c27fadb957ff91ed437ea7d5
                      • Opcode Fuzzy Hash: ce147a77ba40217a2ea0b6343e1bbe4a7fd1e66e8e72a994758a2819ff99efeb
                      • Instruction Fuzzy Hash: EAF0E2722074202EE5216B2CBDC1EEF635DDEA2266B000127F401D2260C768AE8747BD
                      Function 00474C70 Relevance: 7.6, APIs: 5, Instructions: 130registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 747 474c70-474cb4 748 474cb6-474cd9 RegOpenKeyExA 747->748 749 474cdb 747->749 750 474cdd-474cdf 748->750 749->750 751 474da7-474dad 750->751 752 474ce5-474d01 RegQueryValueExA 750->752 755 474daf-474db4 call 5bb3f0 751->755 756 474db9-474df3 call 5bafdc call 5bb267 751->756 753 474d07-474d0e 752->753 754 474d9c-474d9e 752->754 757 474d10-474d13 753->757 758 474d1f-474d5f call 5bb938 RegQueryValueExA 753->758 754->751 759 474da0-474da1 RegCloseKey 754->759 755->756 757->758 762 474d15-474d18 757->762 769 474d82-474d98 call 5bb961 call 5bb3f0 758->769 770 474d61-474d6e call 5bb3f0 758->770 759->751 762->758 766 474d1a-474d1d 762->766 766->754 766->758 769->754 776 474d77-474d80 call 5bb961 770->776 777 474d70-474d71 RegCloseKey 770->777 776->756 777->776
                      APIs
                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00474CC5
                      • RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?), ref: 00474CF9
                      • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00000000,00000003,00000000,756F1760,00000000,000000FF,00472D17,00653624,00653628), ref: 00474D56
                      • RegCloseKey.ADVAPI32(?,00000000), ref: 00474D71
                      • RegCloseKey.ADVAPI32(?), ref: 00474DA1
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseQueryValue$Open
                      • String ID:
                      • API String ID: 4082589901-0
                      • Opcode ID: 587a02185e930c6d4a273be7d24256b90bdc2bc89c798e008e14b54dcb54d459
                      • Instruction ID: f5e0d5491a595709449b5f8d01542000b780b1910dd294ce0a603915a333f11b
                      • Opcode Fuzzy Hash: 587a02185e930c6d4a273be7d24256b90bdc2bc89c798e008e14b54dcb54d459
                      • Instruction Fuzzy Hash: FE418E71204241AFD324DF18C845BBBB7E8FBC4B00F54491EF98697291D764ED09CBA6
                      Function 004748A0 Relevance: 7.6, APIs: 5, Instructions: 82registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 812 4748a0-4748ba 813 4748e1 812->813 814 4748bc-4748df RegOpenKeyExA 812->814 815 4748e3-4748e5 813->815 814->815 816 4748e7-474905 RegQueryValueExA 815->816 817 474958-474963 815->817 818 474907-474912 816->818 819 47494d-47494f 816->819 818->819 821 474914-474918 818->821 819->817 820 474951-474952 RegCloseKey 819->820 820->817 822 47491e-474932 RegQueryValueExA 821->822 823 47491a 821->823 822->819 824 474934-474936 822->824 823->822 825 47493f-47494a 824->825 826 474938-474939 RegCloseKey 824->826 826->825
                      APIs
                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 004748CB
                      • RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?), ref: 00474901
                      • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?), ref: 0047492E
                      • RegCloseKey.ADVAPI32(?), ref: 00474939
                      • RegCloseKey.ADVAPI32(?), ref: 00474952
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseQueryValue$Open
                      • String ID:
                      • API String ID: 4082589901-0
                      • Opcode ID: 6f138b73e76db3e9f37da0394c135bc87fb4bb56cf252515bdd8423eee58cad0
                      • Instruction ID: 8fafd5414bf1edae080292b9bcf2c48030087397fe6d07d97d461ed54fcd0019
                      • Opcode Fuzzy Hash: 6f138b73e76db3e9f37da0394c135bc87fb4bb56cf252515bdd8423eee58cad0
                      • Instruction Fuzzy Hash: C221B6B5604316AFD720DA14DC40FBFB398EBC5754F10862BFA9997240E325AD098BA6
                      Function 00464E90 Relevance: 7.6, APIs: 5, Instructions: 82registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 797 464e90-464eaa 798 464ed1 797->798 799 464eac-464ecf RegOpenKeyExA 797->799 800 464ed3-464ed5 798->800 799->800 801 464ed7-464ef5 RegQueryValueExA 800->801 802 464f48-464f53 800->802 803 464ef7-464f02 801->803 804 464f3d-464f3f 801->804 803->804 806 464f04-464f08 803->806 804->802 805 464f41-464f42 RegCloseKey 804->805 805->802 807 464f0e-464f22 RegQueryValueExA 806->807 808 464f0a 806->808 807->804 809 464f24-464f26 807->809 808->807 810 464f2f-464f3a 809->810 811 464f28-464f29 RegCloseKey 809->811 811->810
                      APIs
                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00464EBB
                      • RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?), ref: 00464EF1
                      • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?), ref: 00464F1E
                      • RegCloseKey.ADVAPI32(?), ref: 00464F29
                      • RegCloseKey.ADVAPI32(?), ref: 00464F42
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseQueryValue$Open
                      • String ID:
                      • API String ID: 4082589901-0
                      • Opcode ID: 6f138b73e76db3e9f37da0394c135bc87fb4bb56cf252515bdd8423eee58cad0
                      • Instruction ID: e7e01883c6a0637f3f9621547231e1f570eea62066523df8472d595cbf026a95
                      • Opcode Fuzzy Hash: 6f138b73e76db3e9f37da0394c135bc87fb4bb56cf252515bdd8423eee58cad0
                      • Instruction Fuzzy Hash: 4C218075605316AFDB24CA14DC40F7BB3A8EBC4B45F10462BF99597240F335AD098BA7
                      Function 00417480 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0045D020: InterlockedDecrement.KERNEL32(-000000F5), ref: 0045D067
                      • GetTickCount.KERNEL32 ref: 004174C4
                      • GetLogicalDrives.KERNELBASE ref: 004174CC
                      Strings
                      • CProcMgr::EnumVolumesW [%08x <-> %08x] [%d <-> %d] [enum : %d] [loop : %d], xrefs: 00417518
                      • EnumVolumes, xrefs: 0041751D
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CountDecrementDrivesInterlockedLogicalTick
                      • String ID: CProcMgr::EnumVolumesW [%08x <-> %08x] [%d <-> %d] [enum : %d] [loop : %d]$EnumVolumes
                      • API String ID: 3289110497-2298549976
                      • Opcode ID: d4cc154891d7a49b44fa908cb85ba17a55fbbf69cf923dcf49a7b1b09d2d5cc3
                      • Instruction ID: b74c0c25e034602d6a30394ed351047f4e49ec33bbf73da37a6c2a085d17a288
                      • Opcode Fuzzy Hash: d4cc154891d7a49b44fa908cb85ba17a55fbbf69cf923dcf49a7b1b09d2d5cc3
                      • Instruction Fuzzy Hash: A7410471604700ABD724DF25C881F6FB7F5AF84714F104A1EF962432E2DB79E8448B46
                      Function 00421480 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00474660: GetModuleHandleA.KERNEL32(advapi32.dll,756F1760,00472EE7), ref: 00474688
                        • Part of subcall function 00474660: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 00474698
                        • Part of subcall function 00474660: RegCloseKey.ADVAPI32(00000001,756F1760,00472EE7), ref: 004746AA
                        • Part of subcall function 004747D0: RegCloseKey.ADVAPI32(00000000,?,00473138,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00020019,00000003,00000000,756F1760,00000000,000000FF,00472D17,00653624,00653628), ref: 004747DA
                        • Part of subcall function 004747D0: RegOpenKeyExA.KERNELBASE(00000003,00000000,00000000,?,00000003,?,00473138,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00020019,00000003,00000000,756F1760,00000000,000000FF,00472D17), ref: 00474801
                      • GetProfileStringA.KERNEL32(ED30_8AC4_11D5_8930_A730,ASN,0064FD78,?,00000400), ref: 004215AD
                        • Part of subcall function 00474BF0: RegQueryValueExA.ADVAPI32(?,00650EB0,00000000,?,00000000,00650EB0,?,?,?,00000000,00020019,00421527,ASN,00650EB0,80000002,SOFTWARE\Classes\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID), ref: 00474C15
                        • Part of subcall function 00474BF0: RegQueryValueExA.ADVAPI32(?,00650EB0,00000000,00000000,00000000,?,00000000), ref: 00474C41
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseQueryValue$AddressHandleModuleOpenProcProfileString
                      • String ID: ASN$ED30_8AC4_11D5_8930_A730$SOFTWARE\Classes\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID
                      • API String ID: 2773363267-1028439139
                      • Opcode ID: 9a0f9cb2479522a06a47f5771b45d529a23811b40ef7e811cd8ec4557a9f313c
                      • Instruction ID: 7b62fa89465205c2187b9e5b9c3d90e11742942b67fdf3e6953f027647bf3fd1
                      • Opcode Fuzzy Hash: 9a0f9cb2479522a06a47f5771b45d529a23811b40ef7e811cd8ec4557a9f313c
                      • Instruction Fuzzy Hash: 7B41F371204345ABD720DE24E891AAFB7E5ABD4300F44893EE586833A0DB789949CB97
                      Function 00404C30 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyW.ADVAPI32(80000002,?,?), ref: 00404C49
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00650230), ref: 00404C79
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00404CB2
                      • RegCloseKey.ADVAPI32(?), ref: 00404CB9
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: QueryValue$CloseOpen
                      • String ID:
                      • API String ID: 1586453840-0
                      • Opcode ID: 51857c9f022935f09cb3175ae4e1b25dd711cc4cffac865b6545e1daad7d93b0
                      • Instruction ID: 6f286877d84b0052f704d19c81bce93d9221b3516d6794b6c031fb1fef93c040
                      • Opcode Fuzzy Hash: 51857c9f022935f09cb3175ae4e1b25dd711cc4cffac865b6545e1daad7d93b0
                      • Instruction Fuzzy Hash: 08116DB2509211AFD320DF55DC89D9BBBECEBD4A10F00892EF685D3211E230D909CBE2
                      Function 00416200 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(?,?,6CBB6DE0,?,004161F3), ref: 0041621E
                      • FreeLibrary.KERNELBASE(?,?,6CBB6DE0,?,004161F3), ref: 0041623A
                      • FreeLibrary.KERNEL32(?,?,6CBB6DE0,?,004161F3), ref: 00416250
                      • FreeLibrary.KERNEL32(?,6CBB6DE0,?,004161F3), ref: 00416272
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: 59232a194dbfda8f107665de09817341a3c7b14f886ce2baf7e2573fd437f5b9
                      • Instruction ID: ebcac70483be70c9707ccc65fa51e17a5e818f21ffd9db41f53fcacbf55fbcd0
                      • Opcode Fuzzy Hash: 59232a194dbfda8f107665de09817341a3c7b14f886ce2baf7e2573fd437f5b9
                      • Instruction Fuzzy Hash: 1F2139B1A01B108BC2309F2FA984457FBF8BFE86103554E5FD586C3A20D7B5E4458F64
                      Function 00486CE0 Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,00650E90,00000001,?,0042560C), ref: 00486D08
                      • CreateThread.KERNELBASE(00000000,00000000,00486F30,00000000,00000004,00000004), ref: 00486D3F
                      • SetThreadPriority.KERNEL32(00000000,?), ref: 00486D5E
                      • ResumeThread.KERNELBASE(?), ref: 00486D68
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Thread$CreateHandleModulePriorityResume
                      • String ID:
                      • API String ID: 3666216124-0
                      • Opcode ID: c96dd699e1b8145b284b571277ef3acf8347f775911440c9311d74c5b40fb474
                      • Instruction ID: 2568ce229c30c180f9151b942fced29f333c69ff772f14d9eeea0b8167a534e7
                      • Opcode Fuzzy Hash: c96dd699e1b8145b284b571277ef3acf8347f775911440c9311d74c5b40fb474
                      • Instruction Fuzzy Hash: CA1186753017019BE760AB65EC84B6B77E8EF48300B15482FA50AC3355EB78EC41CB18
                      Function 00417D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132shareCOMMON
                      Download Yara Rule
                      APIs
                      • GetDriveTypeA.KERNELBASE(?,?,?,?,?,?,00000000,00000000), ref: 00417DA3
                      • WNetGetConnectionA.MPR ref: 00417E19
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ConnectionDriveType
                      • String ID: :
                      • API String ID: 3195379828-336475711
                      • Opcode ID: c093613f163353759a99723ced7cead189bad615f9866a4662cddf8d413ba045
                      • Instruction ID: b335ca42221d8acfc278938836c0f3fc99a53453d1b04bd44d09e33d7b6beb46
                      • Opcode Fuzzy Hash: c093613f163353759a99723ced7cead189bad615f9866a4662cddf8d413ba045
                      • Instruction Fuzzy Hash: 7E4114765086481AC728CA78A8815FFB7E4EFD5320F184A2FF592C32C1DA79DD8D8356
                      Function 0044162A Relevance: 4.6, APIs: 3, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,004415F7,?,00000000,00000000,0043E9AC,00000000,00000000), ref: 0044163F
                      • TerminateProcess.KERNEL32(00000000,?,004415F7,?,00000000,00000000,0043E9AC,00000000,00000000), ref: 00441646
                      • ExitProcess.KERNEL32 ref: 004416C7
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: bf8bc686239b21dbccfffe0b0e5c311a619dc168be9bbde20c47399c28e957fc
                      • Instruction ID: 883f5b86754f4b9f093448f8fbb4e87591c865c86c9dd667f25a1d1c5263b9d2
                      • Opcode Fuzzy Hash: bf8bc686239b21dbccfffe0b0e5c311a619dc168be9bbde20c47399c28e957fc
                      • Instruction Fuzzy Hash: 84010431604311ABEB20AB69FC8A55A7BA7AB50755F0A402FF441822B0DB24D8C09F29
                      Function 0040D7A0 Relevance: 4.5, APIs: 3, Instructions: 36fileCOMMON
                      Download Yara Rule
                      APIs
                      • CopyFileA.KERNEL32(?,?,?), ref: 0040D7B3
                      • GetLastError.KERNEL32 ref: 0040D7BF
                        • Part of subcall function 0040CE50: GetFileAttributesA.KERNEL32(?,?,?,00000001), ref: 0040CE7B
                        • Part of subcall function 0040CE50: SetFileAttributesA.KERNEL32(?,00000000), ref: 0040CE96
                        • Part of subcall function 0040CE50: FindFirstFileA.KERNEL32(?,?,00000000), ref: 0040CF3F
                        • Part of subcall function 0040CE50: lstrcmpA.KERNEL32(?,0061F33C), ref: 0040CF63
                        • Part of subcall function 0040CE50: lstrcmpA.KERNEL32(?,0061F338), ref: 0040CF7A
                      • CopyFileA.KERNEL32(?,?,?), ref: 0040D7D7
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: File$AttributesCopylstrcmp$ErrorFindFirstLast
                      • String ID:
                      • API String ID: 1829081230-0
                      • Opcode ID: e5329aa6ef9232778f3ff72db4f89f48d3533a9cf03b97b16b79373b4c033afc
                      • Instruction ID: 3d039c43b56a3c5e7b6e998ed48cc9393b70932bbc3eb03a0a767e137f41b2fa
                      • Opcode Fuzzy Hash: e5329aa6ef9232778f3ff72db4f89f48d3533a9cf03b97b16b79373b4c033afc
                      • Instruction Fuzzy Hash: 67E09B776021157B82105B96BC88D5BF76CDEDA3737150077F606D3201DB356C0897B5
                      Function 00404CE0 Relevance: 4.5, APIs: 3, Instructions: 31registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyW.ADVAPI32 ref: 00404D02
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000000), ref: 00404D33
                      • RegCloseKey.ADVAPI32 ref: 00404D3E
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: cb49266e9b1d44cdcd37eef1336f08624435470ba4408d54c51f63d62d32984e
                      • Instruction ID: 7113585e652c1566e3688bb81aa964c9b21095b106e0d334da9f82f10a448407
                      • Opcode Fuzzy Hash: cb49266e9b1d44cdcd37eef1336f08624435470ba4408d54c51f63d62d32984e
                      • Instruction Fuzzy Hash: B1F062B5108346AFD314DF54D849B6BBBE8FBD4704F00C91EF58A87251E774A908CB66
                      Function 004041F0 Relevance: 3.1, APIs: 2, Instructions: 120registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,00000000,000000FF,?,00000000,?,00000000,00403EE9,?,00000000,PendingFileRenameOperations), ref: 00404240
                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,?,?,00000000,005CA4F8,000000FF,0041E3E2,80000002,Software\Microsoft\Windows\CurrentVersion\RunServices), ref: 004042A1
                        • Part of subcall function 00404330: RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?,00404219,?,?,00020019,00000000,000000FF,?,00000000,?,00000000,00403EE9), ref: 00404346
                        • Part of subcall function 00404360: RegCloseKey.ADVAPI32(?,0040431B,?,?,00000000,00403EE9,?,00000000,PendingFileRenameOperations,?,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00020019), ref: 00404369
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: QueryValue$CloseOpen
                      • String ID:
                      • API String ID: 1586453840-0
                      • Opcode ID: e0b75b684ba044b94e065c70f1e89a7569b2412bba6b7c80570f4897aa7e9daf
                      • Instruction ID: f4ea60829a383211f0e7a4f3f55bb86af7633b913e83781025e77b4aa182b1bd
                      • Opcode Fuzzy Hash: e0b75b684ba044b94e065c70f1e89a7569b2412bba6b7c80570f4897aa7e9daf
                      • Instruction Fuzzy Hash: BB3105B13042066BD724DD24AC86B6B7799EBC5350F14093EFB46E33C2E679ED048356
                      Function 005BBB33 Relevance: 3.1, APIs: 2, Instructions: 107fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 005BC1BB: __EH_prolog.LIBCMT ref: 005BC1C0
                        • Part of subcall function 005BC1BB: GetFullPathNameA.KERNEL32(?,00000104,?,?,00000000), ref: 005BC1DE
                        • Part of subcall function 005BC1BB: lstrcpynA.KERNEL32(?,?,00000104), ref: 005BC1ED
                      • CreateFileA.KERNELBASE(00000000,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,?,005E0084,?,00000000), ref: 005BBC0E
                      • GetLastError.KERNEL32(?,00000000), ref: 005BBC20
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CreateErrorFileFullH_prologLastNamePathlstrcpyn
                      • String ID:
                      • API String ID: 1034715445-0
                      • Opcode ID: e87afeb77dffd2d1aafa115a21cc0993dab5b255d3440d43442973ab38adba79
                      • Instruction ID: 396edc2ae13c7e1cfb44e765bfc9f5a31f52852b8e2682a26518991e51d05ac4
                      • Opcode Fuzzy Hash: e87afeb77dffd2d1aafa115a21cc0993dab5b255d3440d43442973ab38adba79
                      • Instruction Fuzzy Hash: 8A31EB72A0070AABFB248F19CC55BEA7FA5FB80310F24892AE466C71C4C7F4BD448750
                      Function 00417640 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0045D020: InterlockedDecrement.KERNEL32(-000000F5), ref: 0045D067
                      • GetLogicalDrives.KERNELBASE ref: 00417683
                        • Part of subcall function 004559D0: lstrlenW.KERNEL32(?,?,0065084C,006501B0,00650230,00000000), ref: 00455A48
                        • Part of subcall function 0045D6B0: InterlockedDecrement.KERNEL32(?), ref: 0045D71B
                      • QueryDosDeviceW.KERNEL32 ref: 00417725
                        • Part of subcall function 00456520: InterlockedDecrement.KERNEL32(-0000000C), ref: 0045655E
                        • Part of subcall function 0045D6B0: InterlockedDecrement.KERNEL32(?), ref: 0045D764
                        • Part of subcall function 0045D6B0: InterlockedIncrement.KERNEL32(?), ref: 0045D7DF
                        • Part of subcall function 00456240: InterlockedDecrement.KERNEL32(-000000F4), ref: 00456256
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$Decrement$DeviceDrivesIncrementLogicalQuerylstrlen
                      • String ID:
                      • API String ID: 1496699634-0
                      • Opcode ID: 8c6bf85d31c370f5b887682e00ef60bc14e2036f42d6d224cf26ad06c9c7e392
                      • Instruction ID: cf55f191414770e54e0ce6123e83de486e7ca40804e3238d1e7e2c473b275e72
                      • Opcode Fuzzy Hash: 8c6bf85d31c370f5b887682e00ef60bc14e2036f42d6d224cf26ad06c9c7e392
                      • Instruction Fuzzy Hash: 964180701083419FC314DF69D494A9FB7E4FFC8718F004A1EF89993291DB38A649CB56
                      Function 0041CFA0 Relevance: 3.1, APIs: 2, Instructions: 78registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,00000000,0041D09B,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,CommonFilesDir,?,00000104), ref: 0041CFE7
                      • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,80000002,?,?,00000000,0041D09B,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,CommonFilesDir,?,00000104,?,00000000), ref: 0041D021
                        • Part of subcall function 0041CF60: RegOpenKeyExA.KERNELBASE(00000000,00000000,00000000,?,?,0041CFBC,?,00000000,00020019,?,00000000,?,00000000,0041D09B,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion), ref: 0041CF76
                        • Part of subcall function 0041CF90: RegCloseKey.KERNELBASE(00000000,0041D048,?,?,00000000,0041D09B,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,CommonFilesDir,?,00000104,?,00000000,00000000), ref: 0041CF99
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: QueryValue$CloseOpen
                      • String ID:
                      • API String ID: 1586453840-0
                      • Opcode ID: dea3b3cd17054126432ef6d0252e2d59dfc3e98d0d992e32eb728b6481463599
                      • Instruction ID: d0693de0b644b542a766372247d828e7f1872fae0fa324cbf87ca2de99e3034e
                      • Opcode Fuzzy Hash: dea3b3cd17054126432ef6d0252e2d59dfc3e98d0d992e32eb728b6481463599
                      • Instruction Fuzzy Hash: 2911D3B2A042167FD5308944ED81FEFB799DB8978CF14092BF941D6341E219ED8782AA
                      Function 00467100 Relevance: 3.1, APIs: 2, Instructions: 53registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegDeleteValueA.KERNELBASE(0064FD78,?,0064FD78,0064FD78,0040418A,PendingFileRenameOperations,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00020006,?,00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00020019), ref: 00467115
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: DeleteValue
                      • String ID:
                      • API String ID: 1108222502-0
                      • Opcode ID: d734be1384f3562e0fa01a9ce59139943571f9378ad6a5c669a74cc9dfe71a05
                      • Instruction ID: f5d8b83f1f3f5cc2b38a40f2817dfa4e39e9585d3ea56416bd6e8ed0ec5449a1
                      • Opcode Fuzzy Hash: d734be1384f3562e0fa01a9ce59139943571f9378ad6a5c669a74cc9dfe71a05
                      • Instruction Fuzzy Hash: A4F0A47231D1216BE2309A7ABC00FDBA3989FA3F24F15403BF901D6380F624DC4281AD
                      Function 00445BD4 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                      Download Yara Rule
                      APIs
                      • HeapCreate.KERNELBASE(00000000,00001000,00000000,0043E921,00000001), ref: 00445BE5
                        • Part of subcall function 00445A8C: GetVersionExA.KERNEL32 ref: 00445AAB
                      • HeapDestroy.KERNEL32 ref: 00445C24
                        • Part of subcall function 00445DAB: HeapAlloc.KERNEL32(00000000,00000140,00445C0D,000003F8), ref: 00445DB8
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Heap$AllocCreateDestroyVersion
                      • String ID:
                      • API String ID: 2507506473-0
                      • Opcode ID: e003cf813bf1957986dd3aef1ec8a22a0026842bbb0ed5bb9a2c851b4e2c4e28
                      • Instruction ID: daf7e13d2d395d8285f055e8cd3357a963896800db37d72085c71e4a2442be69
                      • Opcode Fuzzy Hash: e003cf813bf1957986dd3aef1ec8a22a0026842bbb0ed5bb9a2c851b4e2c4e28
                      • Instruction Fuzzy Hash: 86F02B70E517019FFF206B30EC8572A7AD19B54B43F20482BF400C91D2FBA88481DA19
                      Function 004747D0 Relevance: 3.0, APIs: 2, Instructions: 28registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCloseKey.ADVAPI32(00000000,?,00473138,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00020019,00000003,00000000,756F1760,00000000,000000FF,00472D17,00653624,00653628), ref: 004747DA
                      • RegOpenKeyExA.KERNELBASE(00000003,00000000,00000000,?,00000003,?,00473138,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00020019,00000003,00000000,756F1760,00000000,000000FF,00472D17), ref: 00474801
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseOpen
                      • String ID:
                      • API String ID: 47109696-0
                      • Opcode ID: 9b4cef63164cf3084b27e7d0cfb1818c3cebc0dd1ca0bd90e6c7e07a6df5a238
                      • Instruction ID: 70b90daceeae18ce5a443048900354208a493e5e0e30e4546c72d658690d1d77
                      • Opcode Fuzzy Hash: 9b4cef63164cf3084b27e7d0cfb1818c3cebc0dd1ca0bd90e6c7e07a6df5a238
                      • Instruction Fuzzy Hash: 65F092B52183529FD724CF68D849F66B3E8BB98700F148D1EB8A6C3280D774E848CB65
                      Function 00464DC0 Relevance: 3.0, APIs: 2, Instructions: 28registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCloseKey.ADVAPI32(00000000,00000000,0041E3B9,80000002,Software\Microsoft\Windows\CurrentVersion\RunServices,0002001F), ref: 00464DCA
                      • RegOpenKeyExA.KERNELBASE(0041E3B9,80000002,00000000,?,0041E3B9,00000000,0041E3B9,80000002,Software\Microsoft\Windows\CurrentVersion\RunServices,0002001F), ref: 00464DF1
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseOpen
                      • String ID:
                      • API String ID: 47109696-0
                      • Opcode ID: 9b4cef63164cf3084b27e7d0cfb1818c3cebc0dd1ca0bd90e6c7e07a6df5a238
                      • Instruction ID: 3b2fefc8ae12d11d8a1332fcc63b324bc27964d8441345601842627fdba6b1b5
                      • Opcode Fuzzy Hash: 9b4cef63164cf3084b27e7d0cfb1818c3cebc0dd1ca0bd90e6c7e07a6df5a238
                      • Instruction Fuzzy Hash: 4FF098B52183029FD724CF68D845F66B3E8BB98700F148D1EB496C3240D774E844CB65
                      Function 0043E669 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0043E750
                        • Part of subcall function 00441906: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00449AEE,00000009,00000000,00000000,00000001,004422A6,00000001,00000074,?,?,00000000,00000001), ref: 00441943
                        • Part of subcall function 00441906: EnterCriticalSection.KERNEL32(?,?,?,00449AEE,00000009,00000000,00000000,00000001,004422A6,00000001,00000074,?,?,00000000,00000001), ref: 0044195E
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$AllocateEnterHeapInitialize
                      • String ID:
                      • API String ID: 1616793339-0
                      • Opcode ID: c0ef918e3cbcdd4d3365c63eed9736dea234f4fb9d2efb8b817e74e42da29ee3
                      • Instruction ID: 3e8355ce63206f4197006f6a333ea68bd4154da63de8a186773f3535cbbe0956
                      • Opcode Fuzzy Hash: c0ef918e3cbcdd4d3365c63eed9736dea234f4fb9d2efb8b817e74e42da29ee3
                      • Instruction Fuzzy Hash: F921DB32941205ABEB20DF66DC42BDE77A4EB08764F145117F410FB2D1D778A9418B58
                      Function 0043E542 Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,00449AEE,00000009,00000000,00000000,00000001,004422A6,00000001,00000074), ref: 0043E616
                        • Part of subcall function 00441906: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00449AEE,00000009,00000000,00000000,00000001,004422A6,00000001,00000074,?,?,00000000,00000001), ref: 00441943
                        • Part of subcall function 00441906: EnterCriticalSection.KERNEL32(?,?,?,00449AEE,00000009,00000000,00000000,00000001,004422A6,00000001,00000074,?,?,00000000,00000001), ref: 0044195E
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterFreeHeapInitialize
                      • String ID:
                      • API String ID: 641406236-0
                      • Opcode ID: 509bc3bd6559ca294a75ce63920e24cf19e680355a0a14bb34be974872d81b90
                      • Instruction ID: 9da724aabcf61ae54fb43d956b3f084c4e3d4186d5af5f35ee172f687f9a4bad
                      • Opcode Fuzzy Hash: 509bc3bd6559ca294a75ce63920e24cf19e680355a0a14bb34be974872d81b90
                      • Instruction Fuzzy Hash: DD21A772806618FBDF219B96DC06B9E7B78EF19724F14111BF410B22D1EB3D9A40CA6D
                      Function 0043C783 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • RtlUnwind.KERNEL32(?,0043C7AB,?,00000000), ref: 0043C7A6
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Unwind
                      • String ID:
                      • API String ID: 3419175465-0
                      • Opcode ID: bb6d5240acf784a1e63f13a8c0e98b9659c691cbcb068dd10ef6fe7731ebe331
                      • Instruction ID: c5bdccba8185990270d11727ab6bc88bac03cdbff723ed1256f03b3f6c0cb5f4
                      • Opcode Fuzzy Hash: bb6d5240acf784a1e63f13a8c0e98b9659c691cbcb068dd10ef6fe7731ebe331
                      • Instruction Fuzzy Hash: EEF0D47A600648FFDB12CF49C985F89BBB8FB09764F10846AF9099B711D379AA00CB50
                      Function 0043F50C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • KiUserExceptionDispatcher.NTDLL(?,?,006028A0,?,00000000,00000000,?,?,005B94A6,005C6C1C,006028A0), ref: 0043F53A
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: DispatcherExceptionUser
                      • String ID:
                      • API String ID: 6842923-0
                      • Opcode ID: bf544b87b26aa8d3db7570c5d211a1e28711bf05bf861f4110d0a7b0cc2e16f5
                      • Instruction ID: e07ffeee5123d626dae19aa6aec8e469d3d961192a26d6a6142720e5a0826682
                      • Opcode Fuzzy Hash: bf544b87b26aa8d3db7570c5d211a1e28711bf05bf861f4110d0a7b0cc2e16f5
                      • Instruction Fuzzy Hash: D2E0E537D0011CBBCF11DF99DC448DEBBB9FB88310F008066F915A7150D670AA55DBA0
                      Function 00489E90 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00488A80: GetCurrentProcess.KERNEL32(00000000,?,00000000,00000000,00489E9E,?,?,?,004162B7,000000FF,SeDebugPrivilege,00000001,004169C8,?), ref: 00488AA7
                        • Part of subcall function 00488A80: GetCurrentProcessId.KERNEL32 ref: 00488AE8
                        • Part of subcall function 00488A80: OpenProcessToken.ADVAPI32(00000000,000F01FF,00000000), ref: 00488B10
                        • Part of subcall function 00488A80: GetLastError.KERNEL32 ref: 00488B1E
                        • Part of subcall function 00488A80: CloseHandle.KERNEL32(00000000), ref: 00488B2E
                        • Part of subcall function 00489C90: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00489D15
                        • Part of subcall function 00489C90: GetLastError.KERNEL32 ref: 00489D1F
                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?), ref: 00489EBD
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Process$CloseCurrentErrorLast$ChangeFindHandleLookupNotificationOpenPrivilegeTokenValue
                      • String ID:
                      • API String ID: 1152176543-0
                      • Opcode ID: f6c598d09721aa3e2aba207d7a942ccced3102282f26459dc3afeb8411e4222e
                      • Instruction ID: fb05e2d4116bbfe213d434f01dff7f78940722de8167ea0ef7cd837e6a575ad5
                      • Opcode Fuzzy Hash: f6c598d09721aa3e2aba207d7a942ccced3102282f26459dc3afeb8411e4222e
                      • Instruction Fuzzy Hash: F5E08C76A065202B9211EA12BC45C7F37A9DEC0721B0A482EF80587300EA389C0A97F6
                      Function 0040FA60 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c8ad2032057d1bd398fb9f59c5d35ee74fe1cbc7687ee2975aeaeb86f85576f3
                      • Instruction ID: 7d7fb8203b0ba91a0bd69807ff12a8fd191cde30fa99cef7fecc176b96169721
                      • Opcode Fuzzy Hash: c8ad2032057d1bd398fb9f59c5d35ee74fe1cbc7687ee2975aeaeb86f85576f3
                      • Instruction Fuzzy Hash: F4D0C2726192205BD660AA28BC40CEB23C89F80250B05487AF814D2241D334DD058AE6
                      Function 0041CF60 Relevance: 1.5, APIs: 1, Instructions: 16registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNELBASE(00000000,00000000,00000000,?,?,0041CFBC,?,00000000,00020019,?,00000000,?,00000000,0041D09B,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion), ref: 0041CF76
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: 9609f61689f598be5270aa8e17069ac6be741299bae8447b4e6cedaa2423809a
                      • Instruction ID: 76da64cd07d4a27825eee4f6bb4ee885e89550cffe4f9bbb0ae4b82bfd2b0d10
                      • Opcode Fuzzy Hash: 9609f61689f598be5270aa8e17069ac6be741299bae8447b4e6cedaa2423809a
                      • Instruction Fuzzy Hash: B9D09EB9258206BFD604CB64CC45F6BB7E9EBC8715F10C91DB55AC3290D634E8448B11
                      Function 00474820 Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCloseKey.KERNELBASE(00000000,?,004731F3,00000000,CurrentMinorVersionNumber,00000000,00000000,CurrentMajorVersionNumber,00000000,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00020019,00000003,00000000,756F1760,00000000), ref: 0047482A
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Close
                      • String ID:
                      • API String ID: 3535843008-0
                      • Opcode ID: 03f8f115124b0af813da40519679653baff98fb29f5992536dd06a7b33f4a9fb
                      • Instruction ID: b69a27ba658f96a164b193839bc5885d5cbf5e310c0aad42b6a1e023a75d0a22
                      • Opcode Fuzzy Hash: 03f8f115124b0af813da40519679653baff98fb29f5992536dd06a7b33f4a9fb
                      • Instruction Fuzzy Hash: 02C04C7551512187D7705F58B80879677DC5F55310F15846BA896D3244D7749880C668
                      Function 00464E10 Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCloseKey.KERNELBASE(00000000,0064FD78,004041A8,PendingFileRenameOperations,?,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00020006,?,00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00020019), ref: 00464E1A
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Close
                      • String ID:
                      • API String ID: 3535843008-0
                      • Opcode ID: 03f8f115124b0af813da40519679653baff98fb29f5992536dd06a7b33f4a9fb
                      • Instruction ID: f2e1c956a22ca82742ea582d2acc640cafc17059cb939b9806e283519d2c57eb
                      • Opcode Fuzzy Hash: 03f8f115124b0af813da40519679653baff98fb29f5992536dd06a7b33f4a9fb
                      • Instruction Fuzzy Hash: 0EC04C7150511187DB705F58F80874777DCAF49311F15445BA882D7240D67598808668
                      Function 0041CF90 Relevance: 1.5, APIs: 1, Instructions: 6registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCloseKey.KERNELBASE(00000000,0041D048,?,?,00000000,0041D09B,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,CommonFilesDir,?,00000104,?,00000000,00000000), ref: 0041CF99
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Close
                      • String ID:
                      • API String ID: 3535843008-0
                      • Opcode ID: 9cedab19bd00d1e670a68689a7bc678a2775b2d325def4d7a6e4cf362c10e0a1
                      • Instruction ID: 5b0c5b4cc779bc280eb32f3f077f943952ff110735800829b61e5baa2db44c80
                      • Opcode Fuzzy Hash: 9cedab19bd00d1e670a68689a7bc678a2775b2d325def4d7a6e4cf362c10e0a1
                      • Instruction Fuzzy Hash: B5B012707043009B8F208B308D4C60B339C5A40700700C416700BC2240C634C800D620
                      Function 00425660 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(00000001,?,00000000,0041D267,0041E549,80000002,Software\Microsoft\Windows\CurrentVersion\RunServices,0002001F), ref: 00425673
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 3cd990384f0b52b53186fe00f20efa18c84fa71cc5e49a029331ecd481c99e5b
                      • Instruction ID: d56e56c452cfbe7f4493c76f8bd96d38bb785fc2f80931009f6cf56a3770bb44
                      • Opcode Fuzzy Hash: 3cd990384f0b52b53186fe00f20efa18c84fa71cc5e49a029331ecd481c99e5b
                      • Instruction Fuzzy Hash: E1D0123230062147D7209A1FFC80F57B3EC9FD4710749446BE509D3260D6B0EC819AA8

                      Non-executed Functions

                      Function 0048A500 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101filestringCOMMON
                      Download Yara Rule
                      APIs
                      • SetFileSecurityA.ADVAPI32(?,00000004,?), ref: 0048A51C
                      • FindFirstFileA.KERNEL32(?,?), ref: 0048A57F
                      • lstrcmpA.KERNEL32(?,0061F33C), ref: 0048A5A2
                      • lstrcmpA.KERNEL32(?,0061F338), ref: 0048A5B2
                      • SetFileSecurityA.ADVAPI32(?,00000004,?), ref: 0048A613
                      • FindNextFileA.KERNEL32(?,?), ref: 0048A629
                      • FindClose.KERNEL32(?), ref: 0048A63C
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: File$Find$Securitylstrcmp$CloseFirstNext
                      • String ID: %s\%s$%s\*
                      • API String ID: 715288037-2848263008
                      • Opcode ID: 66c2bdda1ba5ee0b8c0a38912c26ecc987ffd6a2390239f9a308a411e9a1a06d
                      • Instruction ID: 3cd987edbb60038c83c8996748087c4ece28f7f2eaf7cc0711bb4878af57ba32
                      • Opcode Fuzzy Hash: 66c2bdda1ba5ee0b8c0a38912c26ecc987ffd6a2390239f9a308a411e9a1a06d
                      • Instruction Fuzzy Hash: 7031E9721057816BD320DB64DC44BEF77A9BBC4705F080E2EE685A6241EA78E9098797
                      Function 004206D0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 386COMMON
                      Download Yara Rule
                      APIs
                      • GetTickCount.KERNEL32 ref: 0042096B
                        • Part of subcall function 00420400: GetTickCount.KERNEL32 ref: 0042043F
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CountTick
                      • String ID: CTCfgFuncHlp::CheckFunc [%08x %08x]$CTCfgFuncHlp::CheckFunc( [@@@@]$CheckFunc$CheckFunc IsTDRMSTerminal [%d][%d]$ZSBLK$disfunc_all$enfunc_all
                      • API String ID: 536389180-473999327
                      • Opcode ID: e4344be9f10eee24662df969bf8559ef63064561380f99b1c12ea8cbe3ea1397
                      • Instruction ID: 5c2129e3aa7c72d1ab2b9fbcc110704d3e44df0e8d5d79d8ba1cdecb26d4a1df
                      • Opcode Fuzzy Hash: e4344be9f10eee24662df969bf8559ef63064561380f99b1c12ea8cbe3ea1397
                      • Instruction Fuzzy Hash: 0ED1D3703043658FE724DF15E880B6BB7E2AF90344F84482EE945D7393DB78E949CA5A
                      Function 00482600 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 342fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,?,00000000,00000000,?), ref: 00482673
                      • FindNextFileW.KERNEL32(?,?), ref: 00482A0A
                      • SetLastError.KERNEL32(00000008), ref: 00482A27
                      • FindClose.KERNEL32(?), ref: 00482A32
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Find$File$CloseErrorFirstLastNext
                      • String ID: $\\?\
                      • API String ID: 819619735-1548844412
                      • Opcode ID: 991ce9ec2b4d79add840c8ad9925feb53471bac36b24196c2e89c9e2305e21d9
                      • Instruction ID: ec1b3f374948d591a99fe50248217c4d14d47b5400cf94d1f9182444595ed8cc
                      • Opcode Fuzzy Hash: 991ce9ec2b4d79add840c8ad9925feb53471bac36b24196c2e89c9e2305e21d9
                      • Instruction Fuzzy Hash: 47B1A4B56043415BD730BB25DE49B6FB7D8AF84704F14491EF98893381EBB8D805C7AA
                      Function 004D6120 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 334COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNEL32(?,00000000,?,?,004D65E0,?,?,00000000,?,?,?,?,?,?,?,?), ref: 004D6584
                        • Part of subcall function 004565F0: lstrlenA.KERNEL32(?,00000000,?,?,00000000,004750DF,0064FD78), ref: 004565FF
                        • Part of subcall function 004565F0: InterlockedDecrement.KERNEL32(-0000000C), ref: 00456636
                        • Part of subcall function 004565F0: InterlockedDecrement.KERNEL32(0065348C), ref: 004566E6
                        • Part of subcall function 004565F0: lstrlenW.KERNEL32(?,00000000,004750DF,0064FD78), ref: 0045674D
                      • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 004D6304
                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 004D6314
                        • Part of subcall function 005BB570: __EH_prolog.LIBCMT ref: 005BB575
                        • Part of subcall function 005BB267: InterlockedDecrement.KERNEL32(-000000F4), ref: 005BB27B
                      • CloseHandle.KERNEL32(?,00000000,?,?,004D65E0,?,?,00000000,?,?,?,?,?,?,?,?), ref: 004D64FA
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: DecrementInterlocked$CloseDescriptorHandleSecuritylstrlen$DaclH_prologInitialize
                      • String ID: Global\$INIW_%s%s
                      • API String ID: 3970062799-1336670644
                      • Opcode ID: 82bdec7f768e49e13318f376d8a48414bafca2632568a7c68d0871ec49911726
                      • Instruction ID: c5154d9aa05cf8ac5c43d7ab72c0c0273bf28c07b450b51aec933862b0fb9299
                      • Opcode Fuzzy Hash: 82bdec7f768e49e13318f376d8a48414bafca2632568a7c68d0871ec49911726
                      • Instruction Fuzzy Hash: FEC1C7B14083419BD720EB24D895BAFB7E4AFD4304F44491EF99A43391EBB8A548C76B
                      Function 004102B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177processCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004380D0: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00488375,00417E99), ref: 00438104
                        • Part of subcall function 0048CAA0: LoadLibraryW.KERNEL32(Userenv.dll,00000000,004102C8), ref: 0048CAD4
                        • Part of subcall function 00410140: FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 00410174
                        • Part of subcall function 00410140: GetWindowThreadProcessId.USER32(00000000,?), ref: 00410184
                        • Part of subcall function 004884E0: GetTokenInformation.ADVAPI32 ref: 00488506
                        • Part of subcall function 004884E0: GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel)), ref: 0048852A
                        • Part of subcall function 004884E0: DuplicateTokenEx.ADVAPI32(?,000F01FF,00000000,00000001,00000001,00000000), ref: 0048856E
                        • Part of subcall function 004884E0: GetLastError.KERNEL32 ref: 0048857C
                      • CreateProcessAsUserW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?), ref: 0041048C
                      • CloseHandle.KERNEL32(?), ref: 004104B7
                      • GetLastError.KERNEL32 ref: 004104BF
                      • CloseHandle.KERNEL32(00000000), ref: 004104EE
                      • CloseHandle.KERNEL32(00000000), ref: 004104F5
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseHandleToken$ErrorInformationLastLibraryLoadProcessWindow$CreateDuplicateFindThreadUser
                      • String ID: D
                      • API String ID: 2763383393-2746444292
                      • Opcode ID: 1bc53cd85122b60ed38e873150454f3b58cfd8af7e06bfbf969ad70800dd566c
                      • Instruction ID: 4eba4a58718501462497465832157832c7663eeb8331f3cf9bd341a99b5d802c
                      • Opcode Fuzzy Hash: 1bc53cd85122b60ed38e873150454f3b58cfd8af7e06bfbf969ad70800dd566c
                      • Instruction Fuzzy Hash: 3C51A3726083459BD730DF64D8809AFB7E5ABC8304F00493EFA9993340DB79A9858B97
                      Function 0044C5A1 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoA.KERNEL32(?,?,?,?), ref: 0044C5E2
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: InfoLocale
                      • String ID: 040a$1252$850$ESP$ESP
                      • API String ID: 2299586839-1770330732
                      • Opcode ID: 0d2973613b7009458d09c14dfc0cb869e2a733e7d381ee801938d85bc923ee8a
                      • Instruction ID: a8c0f05e7e630a6e25c092f72d0854c7f09428d5e26c0a499085f59c731f0f3a
                      • Opcode Fuzzy Hash: 0d2973613b7009458d09c14dfc0cb869e2a733e7d381ee801938d85bc923ee8a
                      • Instruction Fuzzy Hash: 3C216E32102201BBE7584E28DDC597ABB55D798301B5ED03BE406CB291DE35FD49C2C8
                      Function 004100C0 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 004100DF
                      • GetLastError.KERNEL32 ref: 004100E5
                      • GetProcessHeap.KERNEL32(00000008,?), ref: 004100F7
                      • HeapAlloc.KERNEL32(00000000), ref: 004100FE
                      • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00410118
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410126
                      • HeapFree.KERNEL32(00000000), ref: 0041012D
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLast
                      • String ID:
                      • API String ID: 3196765731-0
                      • Opcode ID: 7ea043e96e91865b230d4db9de4b238b073a7de108bc7c321b90c4f9b829e2df
                      • Instruction ID: 9c6b9cda051ae50d3c71ca6402e64543e9a00b840818f8c56309997f66d8f14c
                      • Opcode Fuzzy Hash: 7ea043e96e91865b230d4db9de4b238b073a7de108bc7c321b90c4f9b829e2df
                      • Instruction Fuzzy Hash: 49019E72206305BBD2308F55EC48EABBBACFBC8751F04491BF646C7240DA65E845CBB4
                      Function 00482180 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,00000001,00000000,?), ref: 004821AB
                      • FindNextFileW.KERNEL32(?,?), ref: 00482313
                      • FindClose.KERNEL32(?), ref: 00482326
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Find$File$CloseFirstNext
                      • String ID:
                      • API String ID: 3541575487-3916222277
                      • Opcode ID: e28cf8d73ebda37f5f365ed608651c2a3ee479def419042bbdd925bf1adb5bd2
                      • Instruction ID: 7a4a3f4bad9e7df800470434919d3eec47fd56d742814472f6cbebda4e550987
                      • Opcode Fuzzy Hash: e28cf8d73ebda37f5f365ed608651c2a3ee479def419042bbdd925bf1adb5bd2
                      • Instruction Fuzzy Hash: 195194741043419FD730EF28C988BFBB3E9EF88304F14491DE99987354EBB9A9058B66
                      Function 004A6280 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0048A780: LoadLibraryW.KERNEL32(ntdll.dll,004073D0), ref: 0048A7AB
                      • GetCurrentProcessId.KERNEL32(SeTcbPrivilege,00000001,00000000,?,?,?,?,004A547F,00000005), ref: 004A62A4
                      • NtQuerySystemInformation.NTDLL(?,00000000,00008000,00000000), ref: 004A62E1
                      • GetLastError.KERNEL32(00000005), ref: 004A631F
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CurrentErrorInformationLastLibraryLoadProcessQuerySystem
                      • String ID: SeTcbPrivilege
                      • API String ID: 1348357619-1502394177
                      • Opcode ID: 302faa7550833f916fdcd97b7e088b0cc53f46a2e64859f29926b4ec30c5cab6
                      • Instruction ID: fe5dbaca0c455dfb9b6cfab2db8f937143228ced50d0c4c9880c94dcbcbb34e9
                      • Opcode Fuzzy Hash: 302faa7550833f916fdcd97b7e088b0cc53f46a2e64859f29926b4ec30c5cab6
                      • Instruction Fuzzy Hash: E5113A72B0231017EB346624AC44B2F6689EBA2B60F0E453FFE0687301DA39CC114795
                      Function 0043C2EF Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 94d3a78f14d89b1682a01d181dbfc037902db5ab87c97523286446f4dc5ddc8f
                      • Instruction ID: 13ddf63e1cab546bbeb660313f3a368663c87d730a4ca87724de986eeef2de52
                      • Opcode Fuzzy Hash: 94d3a78f14d89b1682a01d181dbfc037902db5ab87c97523286446f4dc5ddc8f
                      • Instruction Fuzzy Hash: 73F03131604108ABCF11AF61DC849AE3B79EF08384F04D027FD16E5161D739DA15AF59
                      Function 0045A260 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceExA.KERNEL32(006501B0,00000006,00650231,006501B0), ref: 0045A281
                      • LoadResource.KERNEL32(006501B0,00000000), ref: 0045A28D
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Resource$FindLoad
                      • String ID:
                      • API String ID: 2619053042-0
                      • Opcode ID: f956e9c6e445be1a0a565905920a7263ea0a86acf557c558562f88bb1a57d365
                      • Instruction ID: 439f0b7d9710e3cc0c02f5a6092ad033ba8b2c39354d904afdf6dac5e141b38a
                      • Opcode Fuzzy Hash: f956e9c6e445be1a0a565905920a7263ea0a86acf557c558562f88bb1a57d365
                      • Instruction Fuzzy Hash: E00100322052125F9729CA28EC4197BB399FFC0310B15467EFC02C7741DA35EC4A8695
                      Function 0044C00F Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                      • EnumSystemLocalesA.KERNEL32(0044C096,00000001,006327F4,0044574E,?,0065318C,?,?,?,00000000), ref: 0044C075
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: EnumLocalesSystem
                      • String ID:
                      • API String ID: 2099609381-0
                      • Opcode ID: eb676444e836d776686211b8d49c82217d909136ebd1428044caa2bff42f7f13
                      • Instruction ID: 39dbf2318c22f41e96d35eb6e3d724caced2adadf318f2c59f54317b0be41047
                      • Opcode Fuzzy Hash: eb676444e836d776686211b8d49c82217d909136ebd1428044caa2bff42f7f13
                      • Instruction Fuzzy Hash: 58F08C315513A2CAE750DF79ED8935437E2A304FC6F04661BE4119A3B0CFBA8A44AA08
                      Function 0044C29A Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • EnumSystemLocalesA.KERNEL32(0044C2F0,00000001,?,006327F4,0044574E,?,0065318C,?,?,?,00000000), ref: 0044C2D9
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: EnumLocalesSystem
                      • String ID:
                      • API String ID: 2099609381-0
                      • Opcode ID: 0c1fd217d757ee0ac6d81d2bcdae334964d0c18ca67ef54f4e201f894ec456d1
                      • Instruction ID: 5857ffbf9d82a3455e4f527150d4682041544d409fffc1043b77b44666945d40
                      • Opcode Fuzzy Hash: 0c1fd217d757ee0ac6d81d2bcdae334964d0c18ca67ef54f4e201f894ec456d1
                      • Instruction Fuzzy Hash: C3E06D719513928AE740DF75EC8A7243BD2B314BC6F44615BE000942B1CBFA4A44AF08
                      Function 0044C3AD Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      • EnumSystemLocalesA.KERNEL32(0044C3E4,00000001,00632878,?,006327F4,0044574E,?,0065318C,?,?,?,00000000), ref: 0044C3CD
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: EnumLocalesSystem
                      • String ID:
                      • API String ID: 2099609381-0
                      • Opcode ID: 32ce5046bad0991eb3a4a2831aa056b3a3a6635bac48585c78c3d4fea4526457
                      • Instruction ID: 9bb92fc30a082812b3c5652e68f58989b417e569486e0baa071e15c9ff2e05e9
                      • Opcode Fuzzy Hash: 32ce5046bad0991eb3a4a2831aa056b3a3a6635bac48585c78c3d4fea4526457
                      • Instruction Fuzzy Hash: 99D05E70A403929AF701CF35AC887283AA5A314F96F50A51BE841C92F0CABA4A449F04
                      Function 004482DC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_00048296), ref: 004482E1
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: a5b8cfe374f71f3ad776b915bbf3d10cbd5fb4a2f9d2386ed9b5ee44441c90dc
                      • Instruction ID: bdac01016a31c3e61ed1a309bfa4cd3d7c10c9a7c46dfb8e61b7f4a1c549f68e
                      • Opcode Fuzzy Hash: a5b8cfe374f71f3ad776b915bbf3d10cbd5fb4a2f9d2386ed9b5ee44441c90dc
                      • Instruction Fuzzy Hash: 47A002F8743B118B97209F60FE0954C7BE1BA56B53F1218AFA50295368DFB40315EB36
                      Function 004482EE Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32 ref: 004482F3
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 55c6dd8582ce6d280a0100a4ca28dcedb35bf21ff4fc06b8328edf4efdb89275
                      • Instruction ID: b0baf8b02c26282e8bf4b7fc1ebe0e0b719b0eecb812c3c820a75abd95a2655f
                      • Opcode Fuzzy Hash: 55c6dd8582ce6d280a0100a4ca28dcedb35bf21ff4fc06b8328edf4efdb89275
                      • Instruction Fuzzy Hash:
                      Function 004380D0 Relevance: 220.8, APIs: 63, Strings: 63, Instructions: 274libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryW.KERNEL32(advapi32.dll,00000000,00488375,00417E99), ref: 00438104
                      • LoadLibraryA.KERNEL32(advapi32.dll,00000000,00488375,00417E99), ref: 00438111
                      • GetProcAddress.KERNEL32(00000000,OpenThreadToken), ref: 0043812C
                      • GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00438139
                      • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00438146
                      • GetProcAddress.KERNEL32(00000000,DuplicateToken), ref: 00438153
                      • GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 00438160
                      • GetProcAddress.KERNEL32(00000000,GetTokenInformation), ref: 0043816D
                      • GetProcAddress.KERNEL32(00000000,SetTokenInformation), ref: 0043817A
                      • GetProcAddress.KERNEL32(00000000,GetFileSecurityA), ref: 00438187
                      • GetProcAddress.KERNEL32(00000000,GetFileSecurityW), ref: 00438194
                      • GetProcAddress.KERNEL32(00000000,SetFileSecurityA), ref: 004381A1
                      • GetProcAddress.KERNEL32(00000000,SetFileSecurityW), ref: 004381AE
                      • GetProcAddress.KERNEL32(00000000,RegGetKeySecurity), ref: 004381BB
                      • GetProcAddress.KERNEL32(00000000,RegSetKeySecurity), ref: 004381C8
                      • GetProcAddress.KERNEL32(00000000,GetKernelObjectSecurity), ref: 004381D5
                      • GetProcAddress.KERNEL32(00000000,SetKernelObjectSecurity), ref: 004381E2
                      • GetProcAddress.KERNEL32(00000000,GetAclInformation), ref: 004381EF
                      • GetProcAddress.KERNEL32(00000000,SetAclInformation), ref: 004381FC
                      • GetProcAddress.KERNEL32(00000000,GetSecurityDescriptorDacl), ref: 00438209
                      • GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorDacl), ref: 00438216
                      • GetProcAddress.KERNEL32(00000000,GetSecurityDescriptorGroup), ref: 00438223
                      • GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorGroup), ref: 00438230
                      • GetProcAddress.KERNEL32(00000000,GetSecurityDescriptorOwner), ref: 0043823D
                      • GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorOwner), ref: 0043824A
                      • GetProcAddress.KERNEL32(00000000,GetSecurityDescriptorSacl), ref: 00438257
                      • GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorSacl), ref: 00438264
                      • GetProcAddress.KERNEL32(00000000,LookupAccountNameA), ref: 00438271
                      • GetProcAddress.KERNEL32(00000000,LookupAccountNameW), ref: 0043827E
                      • GetProcAddress.KERNEL32(00000000,LookupAccountSidA), ref: 0043828B
                      • GetProcAddress.KERNEL32(00000000,LookupAccountSidW), ref: 00438298
                      • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 004382A5
                      • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 004382B2
                      • GetProcAddress.KERNEL32(00000000,LookupPrivilegeNameA), ref: 004382BF
                      • GetProcAddress.KERNEL32(00000000,LookupPrivilegeNameW), ref: 004382CC
                      • GetProcAddress.KERNEL32(00000000,LookupPrivilegeDisplayNameA), ref: 004382D9
                      • GetProcAddress.KERNEL32(00000000,LookupPrivilegeDisplayNameW), ref: 004382E6
                      • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 004382F3
                      • GetProcAddress.KERNEL32(00000000,ImpersonateAnonymousToken), ref: 00438300
                      • GetProcAddress.KERNEL32(00000000,ImpersonateNamedPipeClient), ref: 0043830D
                      • GetProcAddress.KERNEL32(00000000,ImpersonateLoggedOnUser), ref: 0043831A
                      • GetProcAddress.KERNEL32(00000000,RevertToSelf), ref: 00438327
                      • GetProcAddress.KERNEL32(00000000,LogonUserA), ref: 00438334
                      • GetProcAddress.KERNEL32(00000000,LogonUserW), ref: 00438341
                      • GetProcAddress.KERNEL32(00000000,CreateProcessAsUserA), ref: 0043834E
                      • GetProcAddress.KERNEL32(00000000,CreateProcessAsUserW), ref: 0043835B
                      • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 00438368
                      • GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 00438375
                      • GetProcAddress.KERNEL32(00000000,ConvertSidToStringSidA), ref: 00438382
                      • GetProcAddress.KERNEL32(00000000,ConvertSidToStringSidW), ref: 0043838F
                      • GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidA), ref: 0043839C
                      • GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 004383A9
                      • GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 004383B6
                      • GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorW), ref: 004383C3
                      • GetProcAddress.KERNEL32(00000000,CopySid), ref: 004383D0
                      • GetProcAddress.KERNEL32(00000000,EqualSid), ref: 004383DD
                      • GetProcAddress.KERNEL32(00000000,EqualPrefixSid), ref: 004383EA
                      • GetProcAddress.KERNEL32(00000000,FreeSid), ref: 004383F7
                      • GetProcAddress.KERNEL32(00000000,QueryServiceConfig2A), ref: 00438404
                      • GetProcAddress.KERNEL32(00000000,QueryServiceConfig2W), ref: 00438411
                      • GetProcAddress.KERNEL32(00000000,ChangeServiceConfig2A), ref: 0043841E
                      • GetProcAddress.KERNEL32(00000000,ChangeServiceConfig2W), ref: 0043842B
                      • GetProcAddress.KERNEL32(00000000,QueryServiceStatusEx), ref: 00438438
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: AdjustTokenPrivileges$ChangeServiceConfig2A$ChangeServiceConfig2W$ConvertSidToStringSidA$ConvertSidToStringSidW$ConvertStringSecurityDescriptorToSecurityDescriptorA$ConvertStringSecurityDescriptorToSecurityDescriptorW$ConvertStringSidToSidA$ConvertStringSidToSidW$CopySid$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateToken$DuplicateTokenEx$EqualPrefixSid$EqualSid$FreeSid$GetAclInformation$GetFileSecurityA$GetFileSecurityW$GetKernelObjectSecurity$GetSecurityDescriptorDacl$GetSecurityDescriptorGroup$GetSecurityDescriptorOwner$GetSecurityDescriptorSacl$GetTokenInformation$ImpersonateAnonymousToken$ImpersonateLoggedOnUser$ImpersonateNamedPipeClient$LogonUserA$LogonUserW$LookupAccountNameA$LookupAccountNameW$LookupAccountSidA$LookupAccountSidW$LookupPrivilegeDisplayNameA$LookupPrivilegeDisplayNameW$LookupPrivilegeNameA$LookupPrivilegeNameW$LookupPrivilegeValueA$LookupPrivilegeValueW$OpenProcessToken$OpenThreadToken$QueryServiceConfig2A$QueryServiceConfig2W$QueryServiceStatusEx$RegGetKeySecurity$RegSetKeySecurity$RevertToSelf$SetAclInformation$SetFileSecurityA$SetFileSecurityW$SetKernelObjectSecurity$SetSecurityDescriptorDacl$SetSecurityDescriptorGroup$SetSecurityDescriptorOwner$SetSecurityDescriptorSacl$SetThreadToken$SetTokenInformation$advapi32.dll$advapi32.dll
                      • API String ID: 2238633743-1986207285
                      • Opcode ID: 417ee41dbe388106df9c577fb3815cd8ad0bcae263febfae79ab45a79346d517
                      • Instruction ID: b2ab8aceb4a56bc9a1b0003152fb802a55ebf23fb51d58fe5712a0cd02148886
                      • Opcode Fuzzy Hash: 417ee41dbe388106df9c577fb3815cd8ad0bcae263febfae79ab45a79346d517
                      • Instruction Fuzzy Hash: 40818D74D92394A69720FF76AD4AD872AEEEED7742F025427F400DB191DAB48041CFE4
                      Function 0042A2B0 Relevance: 51.4, APIs: 6, Strings: 28, Instructions: 412sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 005B8FEE: FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,?,00000000,0042A497,?,000000FF,?,?,?,?), ref: 005B8FFE
                        • Part of subcall function 005B8FEE: FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000,0042A497,?,000000FF,?,?,?,?), ref: 005B9010
                        • Part of subcall function 00456240: InterlockedDecrement.KERNEL32(-000000F4), ref: 00456256
                      • GetLastError.KERNEL32(?,?,?,?,?,000000FF,?,?,?,?,?,?,?,?,80000002,00650EB0), ref: 0042A4E9
                      • GetLastError.KERNEL32(0000010B,?,tpacketv_check,00000000,00000000,00000001), ref: 0042A626
                      • GetLastError.KERNEL32(0000010F,?,tpacketv_check,00000000,00000000,00000001), ref: 0042A6A3
                      • Sleep.KERNEL32(000007D0), ref: 0042A780
                      • GetLastError.KERNEL32 ref: 0042A79D
                      • GetLastError.KERNEL32 ref: 0042A7D2
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$Time$File$DecrementInterlockedLocalSleepSystem
                      • String ID: $!!!!$%s\%s$%s\drivers\%s$@@@@$CTPacketVMgr2::InstTPacketV 1$CTPacketVMgr2::InstTPacketV [----]$CTPacketVMgr2::InstTpacketV 2 [%s] -> [%s]$CTPacketVMgr2::InstTpacketV 3 [%d] [%08x]$CTPacketVMgr2::InstTpacketV 4 [%d] [%d] [%d]$CTPacketVMgr2::InstTpacketV 41 [%d] [%08x]$CTPacketVMgr2::InstTpacketV 42 [%d] [%d] [%d]$CTPacketVMgr2::InstTpacketV 43 [%d] [%d] [%d] [%d]$CTPacketVMgr2::InstTpacketV 43 [Uninstall] [!!!!] [%d]$CTPacketVMgr2::InstTpacketV 5 [%d] [%d] [%lu]$CTPacketVMgr2::InstTpacketV 6 [%d]$CTPacketVMgr2::InstTpacketV [====]$CTPacketVMgr2::InstTpacketV [CheckDis] 3 [!!!!]$TPacketV$baktpkt7.sys$baktpkt764.sys$baktpktv.sys$baktpktv64.sys$tpacket7$tpacket7.sys$tpacketv.sys$tpacketv_check$tpacketvmp
                      • API String ID: 496755759-3214344546
                      • Opcode ID: 7551b020da8b82f36d322351858a7a0f33ccba761cc2abe3bd556747f9c3b7c9
                      • Instruction ID: aae21a04509f88f88c73083ae8a2e7a2a3a1883b5b8f561b4301f4e3f340a57d
                      • Opcode Fuzzy Hash: 7551b020da8b82f36d322351858a7a0f33ccba761cc2abe3bd556747f9c3b7c9
                      • Instruction Fuzzy Hash: 36E1D170704361ABD320EF55E846F6B76E5AFD4B08F44081EF98557282EB78D844CB67
                      Function 00426320 Relevance: 47.6, APIs: 7, Strings: 20, Instructions: 387fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041CB70: GetFileAttributesA.KERNELBASE(?,?,00000000,6CBB7310,0041E823,00000000,00000006,songxia_zd,?,00000000,00000001), ref: 0041CB7E
                        • Part of subcall function 0041CB70: SetFileAttributesA.KERNEL32(?,00000000,?,00000000,00000001), ref: 0041CB97
                        • Part of subcall function 0041CB70: DeleteFileA.KERNEL32(?,?,00000000,00000001), ref: 0041CB9A
                        • Part of subcall function 0041CB70: CreateDirectoryA.KERNELBASE(?,00000000,?,00000000,00000001), ref: 0041CBA7
                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00426405
                      • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00426626
                      • WriteFile.KERNEL32(00000000,006252F4,?,?,00000000), ref: 00426651
                      • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00426658
                      • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 0042668F
                      • WriteFile.KERNEL32(00000000,00624898,?,?,00000000,?,?,?,00000000), ref: 004266BB
                      • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,00000000), ref: 004266C2
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: File$Create$AttributesCloseDirectoryHandleWrite$DeleteWindows
                      • String ID: %s\%s$C:\TpacketV$InstTpacketV$PrepareInstallDirectory 1 0x%lx$PrepareInstallDirectory 2 0x%lx$PrepareInstallDirectory 3$PrepareInstallDirectory 5$PrepareInstallDirectory 6 [%s] -> [%s]$PrepareInstallDirectory 7 [%s] [%s]$PrepareInstallDirectory 8 [%s] [%s]$PrepareInstallDirectory 9 [%s] [%s]$baktpktv.sys$baktpktv64.sys$baktpktvcat.sys$baktpktvmcat.sys$netsf.cat$netsf.inf$netsf_m.cat$netsf_m.inf$tpacketv.sys
                      • API String ID: 170119342-559033273
                      • Opcode ID: 44e6053618e6bcb10cacc4e1e10e942ac7849f989d793216082f9cfe52a8b856
                      • Instruction ID: 63b51610b268c79ab54b3cd963bfe11e472ffd69b8b4adc88ef681312ba6dd3d
                      • Opcode Fuzzy Hash: 44e6053618e6bcb10cacc4e1e10e942ac7849f989d793216082f9cfe52a8b856
                      • Instruction Fuzzy Hash: 11D12B71644340AFD320EB60EC82FAB77D5AB98714F410A1EF585532C2EB78A648CF57
                      Function 0041C450 Relevance: 47.6, APIs: 12, Strings: 15, Instructions: 329registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00020019,00000000,?,00000000,?,%s\Properties,?), ref: 0041C52B
                      • RegQueryValueExW.ADVAPI32(?,Security,00000000,?,00000000,?), ref: 0041C557
                      • RegQueryValueExW.ADVAPI32(?,Security,00000000,?,00000000,?), ref: 0041C5B5
                      • RegCloseKey.ADVAPI32(?), ref: 0041C5F4
                      • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0041C623
                      • RegSetValueExW.ADVAPI32(?,Class,00000000,00000001,?,00000002), ref: 0041C655
                      • RegSetValueExW.ADVAPI32(?,NoDisplayClass,00000000,00000001,?,00000004), ref: 0041C69D
                      • RegSetValueExW.ADVAPI32(?,NoUseClass,00000000,00000001,?,00000004), ref: 0041C6DC
                      • RegCreateKeyExW.ADVAPI32(?,Properties,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0041C724
                      • RegSetValueExW.ADVAPI32(?,Security,00000000,00000003,?,?), ref: 0041C747
                      • RegCloseKey.ADVAPI32(?), ref: 0041C802
                      • RegCloseKey.ADVAPI32(?), ref: 0041C811
                      Strings
                      • CSetDeviceSDDL::SetDevSDDL RegCreateKeyEx Fail! subkey[Properties] err[%lu], xrefs: 0041C79B
                      • Class, xrefs: 0041C64F
                      • %s\Properties, xrefs: 0041C4FB
                      • CSetDeviceSDDL::SetDevSDDL RegSetValueExW NoUseClass Fail! err[%lu], xrefs: 0041C6ED
                      • NoDisplayClass, xrefs: 0041C693
                      • SDDL, xrefs: 0041C66B, 0041C6B3, 0041C6F2, 0041C765, 0041C7A0, 0041C7C6
                      • Properties, xrefs: 0041C71E
                      • CSetDeviceSDDL::SetDevSDDL RegSetValueExW NoDisplayClass Fail! err[%lu], xrefs: 0041C6AE
                      • CSetDeviceSDDL::SetDevSDDL RegSetValueExW Security Fail! ulSize[%lu] err[%lu], xrefs: 0041C7C1
                      • CSetDeviceSDDL::SetDevSDDL RegCreateKeyEx Fail! subkey[%s] err[%lu], xrefs: 0041C78A
                      • SYSTEM\CurrentControlSet\Control\Class\{%s}, xrefs: 0041C4D6
                      • NoUseClass, xrefs: 0041C6D6
                      • CSetDeviceSDDL::SetDevSDDL RegSetValueExW Class Fail! err[%lu], xrefs: 0041C666
                      • CSetDeviceSDDL::SetDevSDDL succeed!, xrefs: 0041C760
                      • Security, xrefs: 0041C549, 0041C5AF, 0041C741
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Value$CloseCreate$Query
                      • String ID: %s\Properties$CSetDeviceSDDL::SetDevSDDL RegCreateKeyEx Fail! subkey[%s] err[%lu]$CSetDeviceSDDL::SetDevSDDL RegCreateKeyEx Fail! subkey[Properties] err[%lu]$CSetDeviceSDDL::SetDevSDDL RegSetValueExW Class Fail! err[%lu]$CSetDeviceSDDL::SetDevSDDL RegSetValueExW NoDisplayClass Fail! err[%lu]$CSetDeviceSDDL::SetDevSDDL RegSetValueExW NoUseClass Fail! err[%lu]$CSetDeviceSDDL::SetDevSDDL RegSetValueExW Security Fail! ulSize[%lu] err[%lu]$CSetDeviceSDDL::SetDevSDDL succeed!$Class$NoDisplayClass$NoUseClass$Properties$SDDL$SYSTEM\CurrentControlSet\Control\Class\{%s}$Security
                      • API String ID: 2917175676-1549986081
                      • Opcode ID: 4695e2e04f319aef9459f2ea620f6209388c2f2def9cd8200e95b3e41fd58dab
                      • Instruction ID: 1009ef386a6301276b273626a52d848f4f31d8331d0e193305c6a09e42a9f373
                      • Opcode Fuzzy Hash: 4695e2e04f319aef9459f2ea620f6209388c2f2def9cd8200e95b3e41fd58dab
                      • Instruction Fuzzy Hash: 99B10470684312ABD320DB55DCC1F6BB7E9EB95B44F00441EF946A7381E7B4E844CB66
                      Function 00480670 Relevance: 42.3, APIs: 28, Instructions: 293fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 004806BB
                      • SetLastError.KERNEL32(00000000), ref: 004806CF
                      • GetFileAttributesW.KERNEL32(?), ref: 004806EB
                      • GetFileAttributesW.KERNEL32(?), ref: 00480764
                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 0048076A
                      • RemoveDirectoryW.KERNEL32(?), ref: 00480771
                      • GetLastError.KERNEL32 ref: 0048077B
                      • SetLastError.KERNEL32(00000000), ref: 0048078B
                      • DeleteFileW.KERNEL32(?), ref: 0048079A
                      • GetFileAttributesW.KERNEL32(?), ref: 004807A1
                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 004807B4
                      • DeleteFileW.KERNEL32(?), ref: 004807BB
                      • MoveFileW.KERNEL32(?,?), ref: 004807D6
                      • GetLastError.KERNEL32 ref: 004807F2
                      • SetLastError.KERNEL32(00000057), ref: 00480862
                      • GetFileAttributesW.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004808B7
                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000000,00000000,00000000,00000000), ref: 004808D0
                      • DeleteFileW.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004808DB
                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 004808E8
                      • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00480903
                      • SetLastError.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00480913
                      • MoveFileW.KERNEL32(?,?), ref: 0048091E
                      • GetLastError.KERNEL32 ref: 00480922
                      • SetLastError.KERNEL32(00000000), ref: 00480932
                      • SetLastError.KERNEL32(0000007F), ref: 00480969
                      • GetLastError.KERNEL32 ref: 0048098A
                      • SetLastError.KERNEL32(00000000), ref: 0048099A
                      • SetLastError.KERNEL32(00000057), ref: 004809C2
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$File$Attributes$Delete$DirectoryMove$CreateRemove
                      • String ID:
                      • API String ID: 3187055061-0
                      • Opcode ID: c14cbbdffc59d75cc4c96caa4c4a8536f11572d83beb549201382dbc2e7e6f35
                      • Instruction ID: 47e592a007946f62704f44ea6affe891295308d8cebc7d55842eca1ed1781466
                      • Opcode Fuzzy Hash: c14cbbdffc59d75cc4c96caa4c4a8536f11572d83beb549201382dbc2e7e6f35
                      • Instruction Fuzzy Hash: 249135711013046BE760BB64AC88B6F3798EF90755F140D2BF945D2391E73CA94D876A
                      Function 00480300 Relevance: 42.3, APIs: 28, Instructions: 292fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,00000000,00000000,?,00000002), ref: 0048034B
                      • SetLastError.KERNEL32(00000000,?,?,?,00000000,00000000,?,00000002), ref: 0048035F
                      • GetFileAttributesA.KERNEL32(?,?,?,?,00000000,00000000,?,00000002), ref: 0048037B
                      • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002), ref: 004803F4
                      • SetFileAttributesA.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000,00000000,?,00000002), ref: 004803FA
                      • RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002), ref: 00480401
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00000002), ref: 0048040B
                      • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00000000,?,00000002), ref: 0048041B
                      • DeleteFileA.KERNEL32(?,?,?,?,00000000,00000000,?,00000002), ref: 0048042A
                      • GetFileAttributesA.KERNEL32(?,?,?,?,00000000,00000000,?,00000002), ref: 00480431
                      • SetFileAttributesA.KERNEL32(?,00000000,?,?,?,00000000,00000000,?,00000002), ref: 00480444
                      • DeleteFileA.KERNEL32(?,?,?,?,00000000,00000000,?,00000002), ref: 0048044B
                      • MoveFileA.KERNEL32(?,?), ref: 00480466
                      • GetLastError.KERNEL32 ref: 00480480
                      • SetLastError.KERNEL32(00000057,?,?,?,?,?,00000000,00000000,?,00000002), ref: 004804ED
                      • GetFileAttributesA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,?), ref: 00480542
                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 0048055B
                      • DeleteFileA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,?), ref: 00480566
                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00480573
                      • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,?), ref: 0048058E
                      • SetLastError.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 0048059E
                      • MoveFileA.KERNEL32(?,?), ref: 004805A9
                      • GetLastError.KERNEL32 ref: 004805AD
                      • SetLastError.KERNEL32(00000000), ref: 004805BD
                      • SetLastError.KERNEL32(0000007F), ref: 004805F4
                      • GetLastError.KERNEL32 ref: 0048061A
                      • SetLastError.KERNEL32(00000000), ref: 0048062A
                      • SetLastError.KERNEL32(00000057,00000000,00000000,?,00000002), ref: 00480656
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$File$Attributes$Delete$DirectoryMove$CreateRemove
                      • String ID:
                      • API String ID: 3187055061-0
                      • Opcode ID: 9970bea1d73e7677a51399663626f175ea636788bba030c306f9d7df84504163
                      • Instruction ID: cfb7eed642df8429e98f6fdc4e279250815c1538a3c59fade93af0ce0d2d242c
                      • Opcode Fuzzy Hash: 9970bea1d73e7677a51399663626f175ea636788bba030c306f9d7df84504163
                      • Instruction Fuzzy Hash: 539125312113006BD760FF28EC45BAF3798EB90B55F040D2BF985D2390EB78A54D8B6A
                      Function 005983C0 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 70libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryW.KERNEL32(psapi.dll,?,004A556A), ref: 005983F4
                      • LoadLibraryA.KERNEL32(psapi.dll,?,004A556A), ref: 00598401
                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0059841C
                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00598429
                      • GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo), ref: 00598436
                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00598443
                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00598450
                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0059845D
                      • GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 0059846A
                      • GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameW), ref: 00598477
                      • GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 00598484
                      • GetProcAddress.KERNEL32(00000000,GetMappedFileNameW), ref: 00598491
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: EnumProcessModules$EnumProcesses$GetMappedFileNameA$GetMappedFileNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessImageFileNameA$GetProcessImageFileNameW$GetProcessMemoryInfo$psapi.dll$psapi.dll
                      • API String ID: 2238633743-881960437
                      • Opcode ID: 30fa72d2c9fb3a3f88e9af0967d5344511d3949e792475a3fe2a77d8d544cb62
                      • Instruction ID: 23e6b24d7a32968472a1d921c28b5189da1d573f5d327548fd36702f507b1437
                      • Opcode Fuzzy Hash: 30fa72d2c9fb3a3f88e9af0967d5344511d3949e792475a3fe2a77d8d544cb62
                      • Instruction Fuzzy Hash: 88110D70E5636467CB20EF75FC09D667F9AAFD6706B42642AF001D3161EBB48401CF90
                      Function 00428440 Relevance: 33.5, APIs: 4, Strings: 15, Instructions: 275fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00427DB0: GetFileAttributesA.KERNEL32(?,00000000,?,00000000,00428474,?,00000006,00000000,?,00000001,00000000), ref: 00427DBE
                        • Part of subcall function 00427DB0: SetFileAttributesA.KERNEL32(?,00000000), ref: 00427DD7
                        • Part of subcall function 00427DB0: DeleteFileA.KERNEL32(?), ref: 00427DDA
                        • Part of subcall function 00427DB0: CreateDirectoryA.KERNEL32(?,00000000), ref: 00427DE7
                      • GetWindowsDirectoryA.KERNEL32(?,00000104,00000001,00000000), ref: 0042850E
                      • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0042867C
                      • WriteFile.KERNEL32(00000000,00627664,?,?,00000000), ref: 004286AC
                      • CloseHandle.KERNEL32(00000000), ref: 004286B3
                        • Part of subcall function 004558C0: lstrlenA.KERNEL32(?,0065084C,006501B0,00000000,00406413), ref: 004558D9
                        • Part of subcall function 004558C0: InterlockedDecrement.KERNEL32(0065013C), ref: 0045593D
                        • Part of subcall function 004558C0: lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,006501B0,00000000,00650230,TICKCOUNT,00650230), ref: 004559A3
                        • Part of subcall function 00456240: InterlockedDecrement.KERNEL32(-000000F4), ref: 00456256
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: File$AttributesCreateDecrementDirectoryInterlockedlstrlen$CloseDeleteHandleWindowsWrite
                      • String ID: %s\%s$InstTpacketV$PrepareInstallDirectory 6 [%s] -> [%s]$PrepareInstallDirectory1 1 0x%lx$PrepareInstallDirectory1 10 [%s] [%s]$PrepareInstallDirectory1 3$PrepareInstallDirectory1 4 [%s] [%s]$PrepareInstallDirectory1 5$baktpkt7.sys$baktpkt764.sys$baktpkt7cat.sys$dvb$tpacket7.cat$tpacket7.inf$tpacket7.sys
                      • API String ID: 1451466700-327661535
                      • Opcode ID: f5bb2c1630a591500c9571abe6e9e6bd7d0fd50b67d03fad07e509c5974ec042
                      • Instruction ID: bf00f7630973d0838551d81f71b19d5638c7c00d9313d0c9eafdb6fb817b4eeb
                      • Opcode Fuzzy Hash: f5bb2c1630a591500c9571abe6e9e6bd7d0fd50b67d03fad07e509c5974ec042
                      • Instruction Fuzzy Hash: A0A14971605341AFD330EB64EC81FAB77A5AB98715F800A2DB585532C2EF349648CB67
                      Function 00494440 Relevance: 27.5, APIs: 18, Instructions: 484stringwindowCOMMON
                      Download Yara Rule
                      APIs
                      • FormatMessageA.KERNEL32(00000500,?,00000000,00000000,?,00000000,?), ref: 0049445E
                      • lstrlenA.KERNEL32(?), ref: 00494480
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 004944A8
                      • LocalFree.KERNEL32(?), ref: 00494530
                      • FormatMessageA.KERNEL32(00000500,?,00000000,00000000,?,00000000,?), ref: 00494585
                      • lstrlenA.KERNEL32(00000000), ref: 004945A8
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 004945D4
                      • LocalFree.KERNEL32(?), ref: 0049465D
                      • GetModuleHandleA.KERNEL32 ref: 004946F6
                      • lstrlenA.KERNEL32(?), ref: 0049472C
                      • GetModuleHandleA.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00494760
                      • lstrlenA.KERNEL32(?), ref: 0049478E
                      • FormatMessageA.KERNEL32(00000500,?,00000000,00000000,?,00000000,?), ref: 004947C4
                      • lstrlenA.KERNEL32(?), ref: 004947E1
                      • LocalFree.KERNEL32(?,00000000), ref: 0049482A
                      • InterlockedDecrement.KERNEL32(?), ref: 00494850
                        • Part of subcall function 0043F50C: KiUserExceptionDispatcher.NTDLL(?,?,006028A0,?,00000000,00000000,?,?,005B94A6,005C6C1C,006028A0), ref: 0043F53A
                      • lstrlenA.KERNEL32(?,756F0440,00000000,756F0A60,?), ref: 004948B3
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 004948DC
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: lstrlen$DecrementInterlocked$FormatFreeLocalMessage$HandleModule$DispatcherExceptionUser
                      • String ID:
                      • API String ID: 938005391-0
                      • Opcode ID: 3b5ea24e910731ca76912a0491f6c3291c196fabfd832ee8febfa6bf4c385647
                      • Instruction ID: 9a16fb68e9a2de8eccf825934ef08325bb79494dd9ea94d88d52e3f0f9050a60
                      • Opcode Fuzzy Hash: 3b5ea24e910731ca76912a0491f6c3291c196fabfd832ee8febfa6bf4c385647
                      • Instruction Fuzzy Hash: 87F101B16043459FDB24DF28C884B6BBBE9FBD9300F14452EE54287381DB78E90ACB56
                      Function 0043C11D Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(USER32), ref: 0043C13F
                      • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0043C157
                      • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0043C168
                      • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0043C179
                      • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0043C18A
                      • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0043C19B
                      • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0043C1AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressProc$HandleModule
                      • String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                      • API String ID: 667068680-2376520503
                      • Opcode ID: 8b312b11b987bc8d228bb66eda2c2e5bf2fc0f60076c9e25ff07a7224440e87f
                      • Instruction ID: 65b9705f6be3e428247b37b0895627c6d46574f89524cdc5e3db343e52b7ba18
                      • Opcode Fuzzy Hash: 8b312b11b987bc8d228bb66eda2c2e5bf2fc0f60076c9e25ff07a7224440e87f
                      • Instruction Fuzzy Hash: 9C115171A40320AA8B61CF66ADC052BBEE5B20CF96F60783FF005E23D1C7754685AF64
                      Function 00424300 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 197timethreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32 ref: 0042433A
                      • GetTickCount.KERNEL32 ref: 004243AD
                      • GetCurrentProcessId.KERNEL32(00000000,?,00000000,?,?,00650230,00000000,?,?,?,?,?,00000000,006501B0,00000000,00650230), ref: 004243E1
                      • GetCurrentThreadId.KERNEL32 ref: 00424415
                      • GetLastError.KERNEL32(00000000,?,00000000,?,?,00650230,00000000,?,?,?,?,?,00000000,006501B0,00000000,00650230), ref: 004244EE
                        • Part of subcall function 00424530: GetModuleHandleA.KERNEL32(kernel32.dll,?,004244C0,00000000,?,00000000,?,?,00650230,00000000,?,?,?,?,?,00000000), ref: 00424552
                        • Part of subcall function 00424530: GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 0042455E
                        • Part of subcall function 00424530: GetCurrentProcessId.KERNEL32(00000000,?,004244C0,00000000,?,00000000,?,?,00650230,00000000,?,?,?,?,?,00000000), ref: 00424578
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Current$Process$AddressCountErrorHandleLastLocalModuleProcThreadTickTime
                      • String ID: [%4d-%02d-%02d %02d:%02d:%02d] $[LErr=%08x] $[Level=%08x] $[Name=%s] $[PID=%08x] $[SID=%lu] $[TID=%08x] $[Tick=%08x]
                      • API String ID: 3875352733-4227936853
                      • Opcode ID: b404910e589fc9df2b0602cde100781519898cbbccdc9ad2e3351c66492e0f19
                      • Instruction ID: a3992e58b1fcb19d209913d0e244f2f3875ea130f3d59ea652e3c27174075db1
                      • Opcode Fuzzy Hash: b404910e589fc9df2b0602cde100781519898cbbccdc9ad2e3351c66492e0f19
                      • Instruction Fuzzy Hash: 5F71D6B06006029FD724EF69C8D5E26B7E5EF88304F28892EE8D4D7345DB789454CF54
                      Function 004347C0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 164registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00474660: GetModuleHandleA.KERNEL32(advapi32.dll,756F1760,00472EE7), ref: 00474688
                        • Part of subcall function 00474660: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 00474698
                        • Part of subcall function 00474660: RegCloseKey.ADVAPI32(00000001,756F1760,00472EE7), ref: 004746AA
                      • RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000001,0002001F,00000000,?,?,0002001F,00000001,00000000,00000001,000000FF,0041EA1E,00000001), ref: 00434896
                      • RegCloseKey.ADVAPI32(?), ref: 004348A5
                      • RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000001,0002001F,00000000,?,?,0002001F,00000001,00000000,00000001,000000FF,0041EA1E,00000001), ref: 00434959
                      • RegCloseKey.ADVAPI32(?), ref: 00434968
                        • Part of subcall function 004558C0: lstrlenA.KERNEL32(?,0065084C,006501B0,00000000,00406413), ref: 004558D9
                        • Part of subcall function 004558C0: InterlockedDecrement.KERNEL32(0065013C), ref: 0045593D
                        • Part of subcall function 004558C0: lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,006501B0,00000000,00650230,TICKCOUNT,00650230), ref: 004559A3
                        • Part of subcall function 00456240: InterlockedDecrement.KERNEL32(-000000F4), ref: 00456256
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Close$CreateDecrementInterlockedlstrlen$AddressHandleModuleProc
                      • String ID: %s\%s$CUpAgentFileMgr::SetQuickCheckAgentFile %d$CUpAgentFileMgr::SetQuickCheckAgentFile 1 [%s]$CUpAgentFileMgr::SetQuickCheckAgentFile 2 [%s]$InstallSignKB$QuickCheckAgentFile$Update$quickstart$software\TEC\Ocular.3\Agent
                      • API String ID: 3806372852-1481195485
                      • Opcode ID: 20b4ab646276aeaa59f277e7845a41b8e1da29b8b5032c9a733fb22822a9cd6d
                      • Instruction ID: 1dca7c26daeda9d2bf152bac08ad4ae5f32009c4816e59354b81e6133f06c3f9
                      • Opcode Fuzzy Hash: 20b4ab646276aeaa59f277e7845a41b8e1da29b8b5032c9a733fb22822a9cd6d
                      • Instruction Fuzzy Hash: 7C51C1B0108341AFE310EF21DC86E6BB7E9EBD8B08F44595EF49567282D7749908CB67
                      Function 0043846F Relevance: 19.7, APIs: 13, Instructions: 187COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00438474
                      • SafeArrayGetDim.OLEAUT32(?), ref: 0043849E
                      • SafeArrayGetDim.OLEAUT32(00000000), ref: 004384A8
                      • SafeArrayGetElemsize.OLEAUT32(?), ref: 004384C9
                      • SafeArrayGetElemsize.OLEAUT32(00000000), ref: 004384D1
                      • SafeArrayGetLBound.OLEAUT32(?,?,?), ref: 00438546
                      • SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 0043855F
                      • SafeArrayGetUBound.OLEAUT32(?,?,?), ref: 00438578
                      • SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 0043858E
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ArraySafe$Bound$Elemsize$H_prolog
                      • String ID:
                      • API String ID: 779546493-0
                      • Opcode ID: dc6ba61e2aa270c75ef968d298f3c642aabd483fe1a1b04552b7b3ca60b61d99
                      • Instruction ID: f3df543c62dcf498d34426f7192b33080caec729f9cf17b072921d4035ab0378
                      • Opcode Fuzzy Hash: dc6ba61e2aa270c75ef968d298f3c642aabd483fe1a1b04552b7b3ca60b61d99
                      • Instruction Fuzzy Hash: 39514772D00219AFDF10AFA5DC8A9EEBFB8EF58310F10542AF905E6260DB749900CF64
                      Function 0054A1C0 Relevance: 19.6, APIs: 13, Instructions: 103serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000), ref: 0054A205
                      • GetLastError.KERNEL32 ref: 0054A211
                      • OpenServiceA.ADVAPI32(00000000,?,00000004), ref: 0054A225
                      • GetLastError.KERNEL32 ref: 0054A231
                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 0054A247
                      • GetLastError.KERNEL32 ref: 0054A253
                      • OpenServiceA.ADVAPI32(00000000,?,00000004), ref: 0054A261
                      • GetLastError.KERNEL32 ref: 0054A26D
                      • QueryServiceStatus.ADVAPI32(00000000,000000F7), ref: 0054A279
                      • GetLastError.KERNEL32 ref: 0054A285
                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0054A2C1
                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0054A2C8
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLastService$Open$CloseHandleManager$QueryStatus
                      • String ID:
                      • API String ID: 3621078434-0
                      • Opcode ID: 4e7242ab392bc2440ad6a88ecb530431f2469e4da46e7ef3de44aef6f3074d15
                      • Instruction ID: b266323cc4457753610428f13175feb858386b0f82e4e7798abd686d01d2582d
                      • Opcode Fuzzy Hash: 4e7242ab392bc2440ad6a88ecb530431f2469e4da46e7ef3de44aef6f3074d15
                      • Instruction Fuzzy Hash: 4F314D395893159BC3719F609C486AB7FA9FB96759F01053AFD0283310EFB2890477A3
                      Function 00428290 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 145COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00427F60: CoInitialize.OLE32(00000000), ref: 00427F91
                        • Part of subcall function 00427F60: CoCreateInstance.OLE32(005E3698,00000000,00000001,005E35D8,00000000), ref: 00427FB2
                        • Part of subcall function 00427F60: CoUninitialize.OLE32(00000000,?,00000000,00000000,00650EB0,?,00000000), ref: 00428054
                      • CoTaskMemFree.OLE32(?,?,?,00000000,00000001,?,005E2CE8), ref: 00428404
                        • Part of subcall function 00428070: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00428105
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CreateErrorFreeInitializeInstanceLastTaskUninitialize
                      • String ID: InstTpacketV$InstallSpecifiedComponent1 1 [0x%lx] [%s] [0x%lx] [%s] [0x%lx]$InstallSpecifiedComponent1 2 0x%lx$InstallSpecifiedComponent1 22 0x%lx$InstallSpecifiedComponent1 3 0x%lx$InstallSpecifiedComponent1 4 0x%lx$InstallSpecifiedComponent1 5 0x%lx$InstallSpecifiedComponent1 6 0x%lx$NULL$OAgent
                      • API String ID: 3481011043-428334786
                      • Opcode ID: 2585c0ebe203d63f9118d03c0d3769a1f59e6d4c11c580daf091bd1ece80319a
                      • Instruction ID: bd5466c697c73227e92cf711d581a070f121859c165597d6fb19c16939cae8d6
                      • Opcode Fuzzy Hash: 2585c0ebe203d63f9118d03c0d3769a1f59e6d4c11c580daf091bd1ece80319a
                      • Instruction Fuzzy Hash: FD411971B41732BBD620E649FC42E5B7A95EB84F55F85002EFD4493382ED7AC8408BB6
                      Function 00406560 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 264timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(00650230,00650230,LASTLOGTIME,00000000,00650230,KEYWORD), ref: 004066E3
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: LocalTime
                      • String ID: ISLOG$KEYWORD$LASTLOGTIME$LEVEL$MAXLOGCOUNT$MAXRESERVE$PROCESS$TARGET$TICKCOUNT
                      • API String ID: 481472006-2320170053
                      • Opcode ID: a6930e872e6c62e24a5f711d575bf1fc7dc1a3e67ba427974c82825ee3579485
                      • Instruction ID: 94433492bbb74e743a1dae02234d42d91b7b9ceba997508e83e8b6f0a3918a3b
                      • Opcode Fuzzy Hash: a6930e872e6c62e24a5f711d575bf1fc7dc1a3e67ba427974c82825ee3579485
                      • Instruction Fuzzy Hash: 2391F3B1A007018BC720EF25D88596BB7E6FF85304F41493EE56B97391EF38E8588B59
                      Function 0042E6D0 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 187COMMON
                      Download Yara Rule
                      APIs
                      • DeviceIoControl.KERNEL32(?,0022308A,00000000,00000000,00000000,00000000,?,00000000), ref: 0042E74A
                      • DeviceIoControl.KERNEL32(?,00223016,00000000,00000000,00000000,00000000,?,00000000), ref: 0042E817
                        • Part of subcall function 0046F590: InterlockedDecrement.KERNEL32(?), ref: 0046F625
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ControlDevice$DecrementInterlocked
                      • String ID: BDST$BDST$GetSDBakDocInfo OpenDevice fail$GetSDBakDocInfo check fail x1$GetSDBakDocInfo check fail x2$GetSDBakDocInfo x1 isNULL[%d]$GetSDBakDocInfo x2 isNULL[%d]$SDBakNotify
                      • API String ID: 1138454868-3102609731
                      • Opcode ID: 219f708aaa5477aa54347612c2461508c6eb36d7c52c20862ef8b416f9d589d1
                      • Instruction ID: 9d80408068f48047a7f129a4959fe127ade94d1ef44ed0eca8d122a5f14b3637
                      • Opcode Fuzzy Hash: 219f708aaa5477aa54347612c2461508c6eb36d7c52c20862ef8b416f9d589d1
                      • Instruction Fuzzy Hash: A551D531740322ABE720AE67BC41F2BB3D5AB94B54F44882EF595D73C1EB74E8048B56
                      Function 0040E020 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 157COMMON
                      Download Yara Rule
                      APIs
                      • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,?,?,?,00000010), ref: 0040E0A7
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: InformationVolume
                      • String ID: A:\$EXFAT$FAT$FAT12$FAT16$FAT16$FAT32$FAT32$NTFS
                      • API String ID: 2039140958-1918423830
                      • Opcode ID: e7e26d88c6e9df57f9a6afd1ca576d4e44a15bed98153a6a48c15e74b574d62c
                      • Instruction ID: bf56545602373d3d3d63da0fca1442b796bcc452e13cf7b96a7657e1785f2054
                      • Opcode Fuzzy Hash: e7e26d88c6e9df57f9a6afd1ca576d4e44a15bed98153a6a48c15e74b574d62c
                      • Instruction Fuzzy Hash: CF412DB6A0030167D710DB1ADC82BAB77D5ABD4700F44083FFD04E6282F678D5598397
                      Function 0040A630 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 151registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,?), ref: 0040A68A
                      • RegQueryValueExA.ADVAPI32(?,CommonFilesDir,00000000,00000104,?,00000104), ref: 0040A6AE
                      • RegCloseKey.ADVAPI32(?), ref: 0040A6BB
                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040A71D
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseCreateDirectoryQuerySystemValue
                      • String ID: CommonFilesDir$Software\Microsoft\Windows\CurrentVersion$\$\system$c:\program files\commom files\system$system
                      • API String ID: 3180848759-1854036970
                      • Opcode ID: 92b28350bb561837fb754aa583a85f91043b8dc681193f7983e09c1893767aa6
                      • Instruction ID: 82f54b4d839fef4445f753e8247ba7b029fb6d7eca6005aa90381b3fcb353a31
                      • Opcode Fuzzy Hash: 92b28350bb561837fb754aa583a85f91043b8dc681193f7983e09c1893767aa6
                      • Instruction Fuzzy Hash: 7641E4322186055BD728CD38D8505BBBBD2EBC8320F544A3EF6A6932D0DAB5DD0D8796
                      Function 0047C4C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 130registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExW.ADVAPI32 ref: 0047C510
                      • RegQueryValueExW.ADVAPI32(?,CommonFilesDir,00000000,00000000,00020119,?), ref: 0047C534
                      • RegCloseKey.ADVAPI32(?), ref: 0047C541
                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0047C591
                      • SetLastError.KERNEL32(00000057), ref: 0047C647
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseCreateDirectoryErrorLastQuerySystemValue
                      • String ID: %s\%s$CommonFilesDir$Software\Microsoft\Windows\CurrentVersion$\$c:\program files\commom files
                      • API String ID: 4238452618-538529126
                      • Opcode ID: fa015fa38fcd6da186b56304fbd5b87cf55aba8b67b6f2cfde0a431b1bef7fff
                      • Instruction ID: b9ab58978efc4e4d46689a04996ae4d22472743f68b3eaaeb3d04c363987de6e
                      • Opcode Fuzzy Hash: fa015fa38fcd6da186b56304fbd5b87cf55aba8b67b6f2cfde0a431b1bef7fff
                      • Instruction Fuzzy Hash: BF41E5B5504344ABC320DF55D8C4DAFB7E8FBC8704F41992EF58A93240E675EA098B9A
                      Function 00426180 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 127COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00425F40: CoInitialize.OLE32(00000000), ref: 00425F71
                        • Part of subcall function 00425F40: CoCreateInstance.OLE32(005E3698,00000000,00000001,005E35D8,00000000), ref: 00425F92
                        • Part of subcall function 00425F40: CoUninitialize.OLE32(00000000,?,80000002,00000000,00650EB0,?,00000000), ref: 00426034
                      • CoTaskMemFree.OLE32(?,?,?,?), ref: 004262DF
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CreateFreeInitializeInstanceTaskUninitialize
                      • String ID: InstTpacketV$InstallSpecifiedComponent 1$InstallSpecifiedComponent 2 0x%lx$InstallSpecifiedComponent 22 0x%lx$InstallSpecifiedComponent 3 0x%lx$InstallSpecifiedComponent 4 0x%lx$InstallSpecifiedComponent 5 0x%lx$InstallSpecifiedComponent 6 0x%lx$OAgent
                      • API String ID: 3702099707-699348219
                      • Opcode ID: 756b0305704230b1ebfed7da3885637c67bc22312b98c7f35dbb4eb6251071ad
                      • Instruction ID: 9c852ee3aee4a4300d6869b4e4d52f72c887c2da6edf8153e51daad3cc393c1c
                      • Opcode Fuzzy Hash: 756b0305704230b1ebfed7da3885637c67bc22312b98c7f35dbb4eb6251071ad
                      • Instruction Fuzzy Hash: 4A41D371B40332FBE620FA84FC46F173695AF40F45F864469B944A7382E6A9DC04CBB6
                      Function 0045C120 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 192COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0045C390: InterlockedIncrement.KERNEL32(?), ref: 0045C3B3
                      • InterlockedDecrement.KERNEL32(?), ref: 0045C1AB
                      • InterlockedDecrement.KERNEL32(-000000F4), ref: 0045C2E2
                        • Part of subcall function 00450A70: InterlockedDecrement.KERNEL32(?), ref: 00450AC1
                      • InterlockedIncrement.KERNEL32(?), ref: 0045C2BF
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$Decrement$CriticalIncrementSection$EnterLeave
                      • String ID: 05e$05e$X5e$X5e$4e$4e
                      • API String ID: 1121898109-1905294876
                      • Opcode ID: 325f25f8e130226635f40627fe50f2d14a541e478dcb9cf4688756a028d78ad2
                      • Instruction ID: 7ca03dafc66359852470ad1aefba77571f1e460e960a3a0b80e8bba74e8725a3
                      • Opcode Fuzzy Hash: 325f25f8e130226635f40627fe50f2d14a541e478dcb9cf4688756a028d78ad2
                      • Instruction Fuzzy Hash: 8D61D0706047058FCB14DF59C8D4B2BB796FB88719F10461EFD5297392DB38A809CB9A
                      Function 0047C2F0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 155registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.ADVAPI32 ref: 0047C340
                      • RegQueryValueExA.ADVAPI32(?,CommonFilesDir,00000000,00000000,00020119,?), ref: 0047C364
                      • RegCloseKey.ADVAPI32(?), ref: 0047C371
                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0047C3D3
                      • SetLastError.KERNEL32(00000057), ref: 0047C49E
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseCreateDirectoryErrorLastQuerySystemValue
                      • String ID: %s\%s$CommonFilesDir$Software\Microsoft\Windows\CurrentVersion$c:\program files\commom files
                      • API String ID: 4238452618-243120932
                      • Opcode ID: 4f3342f410966a61aa6c1b9c1474c2b9966e111aa30cec2fc60c518e75f08568
                      • Instruction ID: 06b51330155eb017e680320f0f916cdbd50fe4a28a4dbc49a0ed21037e8bfb77
                      • Opcode Fuzzy Hash: 4f3342f410966a61aa6c1b9c1474c2b9966e111aa30cec2fc60c518e75f08568
                      • Instruction Fuzzy Hash: B3412571508245AFD728CE34C8919FFBBD5FBC8310F548A2EF59A93281DA789D098792
                      Function 004505E0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 00450611
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 004506EC
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalDecrementInterlockedSection$EnterLeave
                      • String ID: 05e$05e$X5e$X5e$4e$4e
                      • API String ID: 1158270854-1905294876
                      • Opcode ID: 04d890ce8cbf5d5b3daaffa29e35dd4bff0baef763ea11d31a94263831fd89a0
                      • Instruction ID: afb57a33c469b4a88140248c2ae44ee64976e777755da750b27c5778cbf0234e
                      • Opcode Fuzzy Hash: 04d890ce8cbf5d5b3daaffa29e35dd4bff0baef763ea11d31a94263831fd89a0
                      • Instruction Fuzzy Hash: D141D678200144AFDB24DF59D895A7E3796FB88316F10502FFD0ACB352DB28AD4C9B19
                      Function 00452060 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 004520A9
                      • OemToCharA.USER32 ref: 004520CF
                      • OemToCharA.USER32 ref: 004520EF
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      • OemToCharA.USER32 ref: 00452145
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Char$CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: 05e$X5e$4e
                      • API String ID: 2071980235-105376989
                      • Opcode ID: dfd24aa630bcf107c0f902560608091f705020c558b3750a94b609a8221d7c88
                      • Instruction ID: 76a2adff82310cdb6abd1fae94f543b7a8327fa16a005c7072f74a3f9c4026bb
                      • Opcode Fuzzy Hash: dfd24aa630bcf107c0f902560608091f705020c558b3750a94b609a8221d7c88
                      • Instruction Fuzzy Hash: 1821F57110200CAFCB14AF51EC8497F775DFB4A316F44802BFE078B202DB26AA08A761
                      Function 0042A140 Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 97sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(000003E8,00650EB0,0042A2DA,80000002,00650EB0,?,00000000), ref: 0042A1E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID: CTPacketVMgr2::CheckTPacket 0$CTPacketVMgr2::CheckTPacket 1$CTPacketVMgr2::CheckTPacket 2$CTPacketVMgr2::CheckTPacket 3$CTPacketVMgr2::CheckTPacket 4$CTPacketVMgr2::CheckTPacket 5$CTPacketVMgr2::CheckTPacket 6$TPacketV
                      • API String ID: 3472027048-781506195
                      • Opcode ID: 6c3b49d05f6a70d54ab8f05a688b1d543a946ec3496e21368203f447c198b124
                      • Instruction ID: 3fe0b27ca0173fb4b56f12f2140ec9718781b4eeaebfb8da796ec9d272d3826c
                      • Opcode Fuzzy Hash: 6c3b49d05f6a70d54ab8f05a688b1d543a946ec3496e21368203f447c198b124
                      • Instruction Fuzzy Hash: EF218230B80732A7E720A3657C47B2A32526F54F0AF850157BD05A23C3EA49DD2089BF
                      Function 00458210 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 230stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0045822E
                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,000000FF), ref: 00458255
                      • lstrlenW.KERNEL32(756EE0B0,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 004582A1
                      • InterlockedDecrement.KERNEL32(?), ref: 004582FE
                      • InterlockedDecrement.KERNEL32(?), ref: 0045836E
                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00458476
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: lstrlen$CriticalDecrementInterlockedSection$EnterLeave
                      • String ID: @4e$h4e
                      • API String ID: 1964322049-4164473680
                      • Opcode ID: db6b80c68a094aa3c02f7ac5dba9d7c1ab9abe0af80f74cff964c40b27b915e3
                      • Instruction ID: 26923e9c7d4213f13157f7952a7bd5a5ec94e4239ca8a9bcf89721cc882c2950
                      • Opcode Fuzzy Hash: db6b80c68a094aa3c02f7ac5dba9d7c1ab9abe0af80f74cff964c40b27b915e3
                      • Instruction Fuzzy Hash: 3881CD316006158B8B24EF19C88086FB7E5FF88755F44492EFC46A7301DF78ED098B96
                      Function 004565F0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 129stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(?,00000000,?,?,00000000,004750DF,0064FD78), ref: 004565FF
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 00456636
                      • InterlockedDecrement.KERNEL32(0065348C), ref: 004566E6
                      • lstrlenW.KERNEL32(?,00000000,004750DF,0064FD78), ref: 0045674D
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalDecrementInterlockedSectionlstrlen$EnterLeave
                      • String ID: @4e$@4e$h4e$h4e
                      • API String ID: 1390202295-3794260672
                      • Opcode ID: 80c8980d030dcaa42e1977b2c5559ec95205d96e3aaaa7fecf7491ef6969e128
                      • Instruction ID: a14062c0d74b1cbeb4f401fa57f96578460084e02114c027a167179524812666
                      • Opcode Fuzzy Hash: 80c8980d030dcaa42e1977b2c5559ec95205d96e3aaaa7fecf7491ef6969e128
                      • Instruction Fuzzy Hash: 0C412B752001109BCB20AE15CC95A2F7399FB8830BF56552FFD028B343CA38AD4C87AA
                      Function 00460570 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 127COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 004605B9
                      • InterlockedDecrement.KERNEL32(?), ref: 00460657
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalDecrementInterlockedSection$EnterLeave
                      • String ID: 05e$05e$X5e$X5e$4e$4e
                      • API String ID: 1158270854-1905294876
                      • Opcode ID: e0d70030edec1bf28732296c440b137c47fd02ccf505cdb63cbde2ab8bb84c55
                      • Instruction ID: 2e2e35890a7ff3d429029a63bf5dfdd8bf0ac837cc67d1c0b93f50992b065bd6
                      • Opcode Fuzzy Hash: e0d70030edec1bf28732296c440b137c47fd02ccf505cdb63cbde2ab8bb84c55
                      • Instruction Fuzzy Hash: 3841F4B05006029FC724EF59C490927F795FFA8314B20922FD65797750FB38AC608B9B
                      Function 00466590 Relevance: 13.8, APIs: 9, Instructions: 302registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?), ref: 004665D2
                      • lstrlenA.KERNEL32(?), ref: 004666B9
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 004666DF
                      • RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,?,00000001), ref: 004666F6
                      • RegCloseKey.ADVAPI32(?,?,00000000,00000007,?,?,?,00000001), ref: 00466706
                      • RegCloseKey.ADVAPI32(?,00000001), ref: 0046673A
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Close$ByteCharCreateMultiValueWidelstrlen
                      • String ID:
                      • API String ID: 2379387548-0
                      • Opcode ID: 9d3d7810a449c124c35bb141bf342d425c2e6d955c6776e2023929e767f2eef8
                      • Instruction ID: 1aa2a5ec85b5f1ac63131763f939d6955130bd6f68939ae2f9668ce797704842
                      • Opcode Fuzzy Hash: 9d3d7810a449c124c35bb141bf342d425c2e6d955c6776e2023929e767f2eef8
                      • Instruction Fuzzy Hash: 85A10671600105ABCB14DF68C885AAF77A5EF84314F15812AFC16E7381EB38ED05CBE6
                      Function 0045A530 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 206stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0045A260: FindResourceExA.KERNEL32(006501B0,00000006,00650231,006501B0), ref: 0045A281
                        • Part of subcall function 0045A260: LoadResource.KERNEL32(006501B0,00000000), ref: 0045A28D
                      • lstrlenW.KERNEL32(?), ref: 0045A58D
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 0045A5BC
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 0045A679
                      • InterlockedDecrement.KERNEL32(?), ref: 0045A755
                      • lstrlenW.KERNEL32(00000000,?,?,?,?,-00000001), ref: 0045A769
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: DecrementInterlocked$CriticalResourceSectionlstrlen$EnterFindLeaveLoad
                      • String ID: @4e$h4e
                      • API String ID: 4165821879-4164473680
                      • Opcode ID: 122b4a8c6056bdc9af0b122d0a4e4a239d7126d75e8fb0c52ea8cb3e059effaa
                      • Instruction ID: 2ebf4e9a7a46f3ef684c08058d5f9b7ed7bdfc03938087fad7ff3a8f806ea5be
                      • Opcode Fuzzy Hash: 122b4a8c6056bdc9af0b122d0a4e4a239d7126d75e8fb0c52ea8cb3e059effaa
                      • Instruction Fuzzy Hash: E57102316006199FCB24EF18C895A6FB3E6FF88301F54452EE94297352DB38AD09CB97
                      Function 004585D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186stringCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(?), ref: 00458638
                      • lstrlenW.KERNEL32(?,00000000,?,?,?,?,00000000,005CDF7F,000000FF), ref: 00458653
                      • InterlockedIncrement.KERNEL32(?), ref: 004586EB
                      • lstrlenW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00458701
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      • InterlockedDecrement.KERNEL32(?), ref: 00458771
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$CriticalIncrementSectionlstrlen$DecrementEnterLeave
                      • String ID: @4e$h4e
                      • API String ID: 3418306807-4164473680
                      • Opcode ID: 8ebcf53ce332690c3b5825ea1cb9cf7dfed752aae633cd75171c4c567afb0398
                      • Instruction ID: a3e294009efeb76380bee68161c85259e8fa2de3a74697a48f08f6e686a6a7e8
                      • Opcode Fuzzy Hash: 8ebcf53ce332690c3b5825ea1cb9cf7dfed752aae633cd75171c4c567afb0398
                      • Instruction Fuzzy Hash: A361B1316006059FCB14DF28C89462BB7E5FB98315F20422FED06AB352DF78AE09CB95
                      Function 004302B0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00430428
                      Strings
                      • [CTSDEncryptDrv::AddOrDelSaveAsFileDrv] 1002 [filename(%s), filenamedev(%s)], xrefs: 0043033E
                      • NotifyEncDrv, xrefs: 004302E4, 00430343, 00430440, 00430473
                      • [CTSDEncryptDrv::AddOrDelSaveAsFileDrv size[%d]] 1000, xrefs: 004302DF
                      • Xe, xrefs: 00430322
                      • [CTSDEncryptDrv::AddOrDelSaveAsFileDrv] 1004 [0x%lx], xrefs: 0043043B
                      • [CTSDEncryptDrv::AddOrDelSaveAsFileDrv] 1005, xrefs: 0043046E
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ControlDevice
                      • String ID: NotifyEncDrv$Xe$[CTSDEncryptDrv::AddOrDelSaveAsFileDrv size[%d]] 1000$[CTSDEncryptDrv::AddOrDelSaveAsFileDrv] 1002 [filename(%s), filenamedev(%s)]$[CTSDEncryptDrv::AddOrDelSaveAsFileDrv] 1004 [0x%lx]$[CTSDEncryptDrv::AddOrDelSaveAsFileDrv] 1005
                      • API String ID: 2352790924-3607367165
                      • Opcode ID: a5c9f997f3187ed2b57dd80fabfd10c066087fea45c34fcf780a699cdc46489e
                      • Instruction ID: 661d8471aaff56240974289b31e5e8ec1c9fbeb8d2a875556d77ad29eb01e3e4
                      • Opcode Fuzzy Hash: a5c9f997f3187ed2b57dd80fabfd10c066087fea45c34fcf780a699cdc46489e
                      • Instruction Fuzzy Hash: F651B471604710AFD310DF55EC81A5BB7E5EF98714F404A2EFA9993382E738D908CB96
                      Function 00452200 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 134stringCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(006359BC), ref: 00452284
                      • lstrlenA.KERNEL32(006359C8,?,?,?,?,?,?,?,?,?,005CDD2F,000000FF), ref: 0045229C
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      • InterlockedDecrement.KERNEL32(006359BC), ref: 004522C8
                      • InterlockedDecrement.KERNEL32(?), ref: 0045231B
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$CriticalDecrementSection$EnterIncrementLeavelstrlen
                      • String ID: 05e$X5e$4e
                      • API String ID: 896194137-105376989
                      • Opcode ID: bfde92c27b4d7787cc28bba5da1e17c56a3904b77022aee3b9f05366f5001f78
                      • Instruction ID: a59bb69f09db69df8a25c6785db5145c8f82638c12d6a4b93b46b0806894667a
                      • Opcode Fuzzy Hash: bfde92c27b4d7787cc28bba5da1e17c56a3904b77022aee3b9f05366f5001f78
                      • Instruction Fuzzy Hash: A841E0742047869FCB18DF28C89462FB7E6BB85305F50462FFD069B382DB78990C8B56
                      Function 004523A0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 134stringCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(006359BC), ref: 00452424
                      • lstrlenA.KERNEL32(006359C8,?,?,?,?,?,?,?,?,?,005CDD5F,000000FF), ref: 0045243C
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      • InterlockedDecrement.KERNEL32(006359BC), ref: 00452468
                      • InterlockedDecrement.KERNEL32(?), ref: 004524BB
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$CriticalDecrementSection$EnterIncrementLeavelstrlen
                      • String ID: 05e$X5e$4e
                      • API String ID: 896194137-105376989
                      • Opcode ID: 8f047666eaae8fd9bdc0a8c3d5b1aea8e08017742a2e2de7bf1f423818a3d1d1
                      • Instruction ID: 92e8a0510119447b380003ebd9e063175f9f91a8f5bd98261a8d596dd9d73996
                      • Opcode Fuzzy Hash: 8f047666eaae8fd9bdc0a8c3d5b1aea8e08017742a2e2de7bf1f423818a3d1d1
                      • Instruction Fuzzy Hash: D741EF706042859FCB14DF18C994A2FB7E6FB86305F54462FE81297392DBB8AD0CC752
                      Function 0044814D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetStringTypeW.KERNEL32(00000001,005E182C,00000001,?,756EE860,00656530,?,?,0044994E,?,?,?,00000000,00000001), ref: 0044818C
                      • GetStringTypeExA.KERNEL32(00000000,00000001,005E1828,00000001,?,?,0044994E,?,?,?,00000000,00000001), ref: 004481A6
                      • GetStringTypeExA.KERNEL32(?,?,?,?,0044994E,756EE860,00656530,?,?,0044994E,?,?,?,00000000,00000001), ref: 004481DA
                      • MultiByteToWideChar.KERNEL32(?,0ee,?,?,00000000,00000000,756EE860,00656530,?,?,0044994E,?,?,?,00000000,00000001), ref: 00448212
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0044994E,?), ref: 00448268
                      • GetStringTypeW.KERNEL32(?,?,00000000,0044994E,?,?,?,?,?,?,0044994E,?), ref: 0044827A
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: StringType$ByteCharMultiWide
                      • String ID: 0ee
                      • API String ID: 3852931651-4269291191
                      • Opcode ID: 446fb8b25d2c50955414739b73301ea78cf6d715b525723f7fbbc872ea7b102f
                      • Instruction ID: 1cc3d39e43865d58329f1d0cc876ac1052a0242e76baa87dff1aa0ec016bac58
                      • Opcode Fuzzy Hash: 446fb8b25d2c50955414739b73301ea78cf6d715b525723f7fbbc872ea7b102f
                      • Instruction Fuzzy Hash: 1541BE72600A19AFDF208F94DC85EAF3F79FB18750F14492BF911D2260C7388A11DBA5
                      Function 004166E0 Relevance: 12.2, APIs: 8, Instructions: 195COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000410,00000000,?), ref: 0041674E
                      • OpenProcess.KERNEL32(02000000,00000000,?), ref: 0041675D
                      • OpenProcess.KERNEL32(00001000,00000000,?), ref: 0041676C
                      • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00416797
                      • OpenProcess.KERNEL32(02000000,00000000,?), ref: 004167A7
                      • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004167B6
                      • CloseHandle.KERNEL32(00000000), ref: 004167DE
                      • CloseHandle.KERNEL32(00000000), ref: 0041685F
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: OpenProcess$CloseHandle
                      • String ID:
                      • API String ID: 621282731-0
                      • Opcode ID: d912df135a6c096ea29e5a91b01fbb3f491162d0d0d5eb682ec2cb2fb47a1e75
                      • Instruction ID: aee628051f7d8679ffed8baeb6447a5d9158d8b20762e6dd242febae1be40cc0
                      • Opcode Fuzzy Hash: d912df135a6c096ea29e5a91b01fbb3f491162d0d0d5eb682ec2cb2fb47a1e75
                      • Instruction Fuzzy Hash: 3151067260531167E731EE25CC40BEFB7D8AF84758F02092EFA4496390DB78D98486EA
                      Function 0046E480 Relevance: 12.2, APIs: 8, Instructions: 174fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileMappingA.KERNEL32(?,00000000,00000004,00000000,00000000,00000000), ref: 0046E4E5
                      • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,?,?,?,00000000,005CF018,000000FF,0046E00E,00000000), ref: 0046E4FB
                      • UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,00000000,005CF018,000000FF,0046E00E,00000000), ref: 0046E513
                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,005CF018,000000FF,0046E00E,00000000), ref: 0046E51A
                      • UnmapViewOfFile.KERNEL32(?), ref: 0046E629
                      • CloseHandle.KERNEL32(?), ref: 0046E640
                      • UnmapViewOfFile.KERNEL32(?), ref: 0046E65F
                      • CloseHandle.KERNEL32(?), ref: 0046E66A
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: File$View$CloseHandleUnmap$CreateMapping
                      • String ID:
                      • API String ID: 1894849357-0
                      • Opcode ID: 30ac7c43fa7c25b71a5bc9fbdacd59a354fdee077c02fb0f44f35b4bb7cbf89e
                      • Instruction ID: 7abd1a7e3ecc03af561473459f83d65025659d568f39732773858ffa221cef4f
                      • Opcode Fuzzy Hash: 30ac7c43fa7c25b71a5bc9fbdacd59a354fdee077c02fb0f44f35b4bb7cbf89e
                      • Instruction Fuzzy Hash: F46179B96043019FC710CF2AC880A5BBBE5BF88718F154A1EF899A7311E734E845CB96
                      Function 00428070 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 128COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00428105
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast
                      • String ID: HrInstallNetComponent1 1 %s$HrInstallNetComponent1 2 0x%lx 0x%lx$HrInstallNetComponent1 3$HrInstallNetComponent1 4 0x%lx$HrInstallNetComponent1 5 0x%lx$HrInstallNetComponent1 6 0x%lx$InstTpacketV
                      • API String ID: 1452528299-2793713214
                      • Opcode ID: 5bfaba1771706d632731f38c56aebab82be8c4726d40804665c40428735d60a1
                      • Instruction ID: 7387a0129a64d373a37bf75c3cf7cc4f068f5b8bf60968a82efdd8cf88581060
                      • Opcode Fuzzy Hash: 5bfaba1771706d632731f38c56aebab82be8c4726d40804665c40428735d60a1
                      • Instruction Fuzzy Hash: 5141C471B41732BBE230D655FC43F7B3699AF44B04F85402DBD44A32C2EAA8D944CBA6
                      Function 00466120 Relevance: 12.1, APIs: 8, Instructions: 127registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,005CE468,000000FF), ref: 00466161
                      • lstrlenA.KERNEL32(?,?,?,?,?,005CE468,000000FF,?,00466298,?,00000000,?,?,?,00407EE2,?), ref: 00466196
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,?,?,?,005CE468,000000FF,?,00466298,?,00000000), ref: 004661BF
                        • Part of subcall function 004500C0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00466206,?), ref: 004500E7
                        • Part of subcall function 004500C0: InterlockedDecrement.KERNEL32(-0000000C), ref: 0045014A
                        • Part of subcall function 004500C0: lstrlenA.KERNEL32 ref: 004501B0
                      • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,00000002), ref: 004661DD
                      • RegCloseKey.ADVAPI32(00000002,?,00000000,00000001,?,00000002), ref: 004661ED
                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,?,?,?,?,?,005CE468,000000FF,?,00466298), ref: 00466218
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,005CE468,000000FF,?,00466298,?,00000000,?,?,?,00407EE2,?), ref: 00466228
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,005CE468,000000FF,?,00466298,?,00000000,?,?,?,00407EE2,?), ref: 00466259
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Close$ByteCharMultiValueWidelstrlen$CreateDecrementInterlocked
                      • String ID:
                      • API String ID: 869423163-0
                      • Opcode ID: d330e3fd51ee9d3459c575698a177f619400b7555114ae8fadf3d932fff105b0
                      • Instruction ID: 0e8d07ed252f4005a9b0aa4e5803a8f61e20444ed5df05a95ffaaf9263145faf
                      • Opcode Fuzzy Hash: d330e3fd51ee9d3459c575698a177f619400b7555114ae8fadf3d932fff105b0
                      • Instruction Fuzzy Hash: 5441D172600205BFDB20DF54CC86FAB37A8EF55750F01821AFD12A7281E738AD458BA6
                      Function 0043C3ED Relevance: 12.1, APIs: 8, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemMetrics.USER32(00000000), ref: 0043C42E
                      • GetSystemMetrics.USER32(00000001), ref: 0043C435
                      • GetClipBox.GDI32(?,?), ref: 0043C446
                      • GetDCOrgEx.GDI32(?,?), ref: 0043C458
                      • OffsetRect.USER32(?,?,?), ref: 0043C472
                      • IntersectRect.USER32(?,?,?), ref: 0043C48A
                      • IntersectRect.USER32(?,?,?), ref: 0043C4A0
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Rect$IntersectMetricsSystem$ClipOffset
                      • String ID:
                      • API String ID: 2304384279-0
                      • Opcode ID: 8becb525e9fa391fc4185a2bc723af9bc9dd5dd43916cbb4b743e667414b0185
                      • Instruction ID: aa9cd54537308e06928ca3a29ad519dfc50113e10688b652c566d225f4963083
                      • Opcode Fuzzy Hash: 8becb525e9fa391fc4185a2bc723af9bc9dd5dd43916cbb4b743e667414b0185
                      • Instruction Fuzzy Hash: 0131077290020EABCF119FA4CD858FFBBBCEB18350F149523FA06E2150D7389A459BA4
                      Function 00488070 Relevance: 12.1, APIs: 8, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b446ed491ab3c9e9dd00ac45f96eafe8bde2aaf84196d4fef118b766369affcb
                      • Instruction ID: ac27424cac0ccfade045f97e4b298c79df18ded9df7a5dd5210f2a0c7bf6fee3
                      • Opcode Fuzzy Hash: b446ed491ab3c9e9dd00ac45f96eafe8bde2aaf84196d4fef118b766369affcb
                      • Instruction Fuzzy Hash: 8221D3716043155BD320AF66AC04B2F73E9AB95B92F41442FF808D7350DF78D8058BA9
                      Function 00420400 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 247COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CountTick
                      • String ID: %s%s$disfunc_$enfunc_
                      • API String ID: 536389180-3188296966
                      • Opcode ID: cf0927a8995907f91ab61a4f29879094b05f54a34735ca215c9af9a0a4d0a332
                      • Instruction ID: 211eba77981245d57040ee437adf8ed94e35bc11244e3e0ce5fd00eeb134ebae
                      • Opcode Fuzzy Hash: cf0927a8995907f91ab61a4f29879094b05f54a34735ca215c9af9a0a4d0a332
                      • Instruction Fuzzy Hash: CBA168707007119FD728DF19D490A2BB7E2BF98700F54852EE85A8B752DB38EC91CB89
                      Function 00460110 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 196stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(?), ref: 004601D7
                        • Part of subcall function 00454730: FindResourceExA.KERNEL32(?,00000006,?,?), ref: 00454753
                        • Part of subcall function 00454730: LoadResource.KERNEL32(?,00000000,?,?,?,0064FD78,0044FF72,?,?,00000000,?,00000100), ref: 0045475F
                        • Part of subcall function 00454730: OutputDebugStringW.KERNEL32(-00000002,?,?,?,0064FD78,0044FF72,?,?,00000000,?,00000100), ref: 00454776
                        • Part of subcall function 00451570: InterlockedDecrement.KERNEL32(?), ref: 004515D0
                      • InterlockedIncrement.KERNEL32(?), ref: 004602AC
                      • InterlockedDecrement.KERNEL32(?), ref: 004602EA
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$DecrementResource$DebugFindIncrementLoadOutputStringlstrlen
                      • String ID: 05e$X5e$4e
                      • API String ID: 2086100131-105376989
                      • Opcode ID: 148f923289135ff79a69ef71fa15ef2531723d157065f5cef8740810746e254d
                      • Instruction ID: 1c5d50b39024ae50ccc34e796a1285b3be17dcef8bb6090ba41b92b42621d132
                      • Opcode Fuzzy Hash: 148f923289135ff79a69ef71fa15ef2531723d157065f5cef8740810746e254d
                      • Instruction Fuzzy Hash: 6861F3B56003419BCB28DF15C895B6BB3A9BF84708F14892EF95687381EB38DD098797
                      Function 0047A740 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 173COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryA.KERNEL32 ref: 0047A7CE
                      • GetLastError.KERNEL32 ref: 0047A854
                      • SetLastError.KERNEL32(00000000), ref: 0047A86A
                      • SetLastError.KERNEL32(00000057), ref: 0047A881
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$DirectorySystem
                      • String ID: %s\%s$\Temp
                      • API String ID: 860285823-2461607942
                      • Opcode ID: 04fd5feb41ef6ff7719f11f00ef0a61bca1146104604b41aa85aef4cc9c35093
                      • Instruction ID: 772a38a52eff7d2ffcd6b83bbd871d8468c948910f55ffab0c45133606bed518
                      • Opcode Fuzzy Hash: 04fd5feb41ef6ff7719f11f00ef0a61bca1146104604b41aa85aef4cc9c35093
                      • Instruction Fuzzy Hash: 745106712083419BD328DF28C8517EFBBD5FBD4740F14892EE65A832D0DB789A0A8683
                      Function 0042C0C0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 146COMMON
                      Download Yara Rule
                      APIs
                      • DeviceIoControl.KERNEL32(00000000,00223049,00000000,?,00000000,00000000,?,00000000), ref: 0042C21A
                        • Part of subcall function 0042BEA0: CloseHandle.KERNEL32 ref: 0042BEAD
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseControlDeviceHandle
                      • String ID: TSDEncryptDrv$[CTSDEncryptDrv::SetSafeDiskInfo] 1000, [%s]$[CTSDEncryptDrv::SetSafeDiskInfo] 1001 [%s]-[%s]$[CTSDEncryptDrv::SetSafeDiskInfo] 1002$[CTSDEncryptDrv::SetSafeDiskInfo] 1003
                      • API String ID: 2349616827-3770384097
                      • Opcode ID: 952bd4daaa9a584dd27710267e1265fdc66d5d26ec4b22a32c9c3b05aafe4d99
                      • Instruction ID: 2bbe64668b6760cc001d5413b847ceaa669ae3da29d91df1036997b9fe9a45a9
                      • Opcode Fuzzy Hash: 952bd4daaa9a584dd27710267e1265fdc66d5d26ec4b22a32c9c3b05aafe4d99
                      • Instruction Fuzzy Hash: 8151DF70600751AFC310DF95E882A2BB7E5FB88714F40492EF94187382EB75D904CB66
                      Function 0047A230 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 142COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 0047A275
                      • GetLastError.KERNEL32 ref: 0047A2FC
                      • SetLastError.KERNEL32(00000000), ref: 0047A30D
                      • SetLastError.KERNEL32(00000057), ref: 0047A325
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$DirectorySystem
                      • String ID: %s\%s$\Temp
                      • API String ID: 860285823-2461607942
                      • Opcode ID: 89e4630382a323d71afcef8253b0af8cc414bf7b262aa90e16d7dc2a68a77aab
                      • Instruction ID: 84095a10cea4da407448edeeebfe3652ca3db30a8d9ee471886196dad64ff226
                      • Opcode Fuzzy Hash: 89e4630382a323d71afcef8253b0af8cc414bf7b262aa90e16d7dc2a68a77aab
                      • Instruction Fuzzy Hash: F54114316043009BD328DA39D8057EF77C6BBD4750F49CA2EFD9AA33C0DBB899458686
                      Function 0047A3F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 142COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 0047A435
                      • GetLastError.KERNEL32 ref: 0047A4BC
                      • SetLastError.KERNEL32(00000000), ref: 0047A4CD
                      • SetLastError.KERNEL32(00000057), ref: 0047A4E5
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$DirectorySystem
                      • String ID: %s\%s$\Temp
                      • API String ID: 860285823-2461607942
                      • Opcode ID: 89e4630382a323d71afcef8253b0af8cc414bf7b262aa90e16d7dc2a68a77aab
                      • Instruction ID: a7e0411182f1aa4e4ce0393f531f9705fe350b13524fcc1976e310b2e40c5ea5
                      • Opcode Fuzzy Hash: 89e4630382a323d71afcef8253b0af8cc414bf7b262aa90e16d7dc2a68a77aab
                      • Instruction Fuzzy Hash: D14104316043006BD328DA38DC057EF77C6BBD4750F08CA2EB99EA72C0DBF999048686
                      Function 0047A5B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 118COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0047A5F7
                      • GetLastError.KERNEL32 ref: 0047A66D
                      • SetLastError.KERNEL32(00000000), ref: 0047A67E
                      • SetLastError.KERNEL32(00000057), ref: 0047A696
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$DirectorySystem
                      • String ID: %s\%s$\Temp
                      • API String ID: 860285823-2461607942
                      • Opcode ID: 0fb31cd6042f9ca9851a6d8937de4e56233c1412c21e6758bf5999c9ae97594c
                      • Instruction ID: 5b08762432e2babf19997482a4dee0d02ea563968fe935d4fe244f79c8dfecfd
                      • Opcode Fuzzy Hash: 0fb31cd6042f9ca9851a6d8937de4e56233c1412c21e6758bf5999c9ae97594c
                      • Instruction Fuzzy Hash: 7B41D6B1904340ABD724DB60DC85BEF77A8AFD4701F49C82EB94D93240E7B8D954879B
                      Function 00410140 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 113threadCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 00410174
                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 00410184
                        • Part of subcall function 005BB267: InterlockedDecrement.KERNEL32(-000000F4), ref: 005BB27B
                        • Part of subcall function 00488A80: GetCurrentProcess.KERNEL32(00000000,?,00000000,00000000,00489E9E,?,?,?,004162B7,000000FF,SeDebugPrivilege,00000001,004169C8,?), ref: 00488AA7
                        • Part of subcall function 00488A80: GetCurrentProcessId.KERNEL32 ref: 00488AE8
                        • Part of subcall function 00488A80: OpenProcessToken.ADVAPI32(00000000,000F01FF,00000000), ref: 00488B10
                        • Part of subcall function 00488A80: GetLastError.KERNEL32 ref: 00488B1E
                        • Part of subcall function 00488A80: CloseHandle.KERNEL32(00000000), ref: 00488B2E
                        • Part of subcall function 00488470: DuplicateTokenEx.ADVAPI32(?,000F01FF,00000000,00000001,00000001,00000000,00000000,?,004101D8,00000000), ref: 004884AC
                        • Part of subcall function 00488470: GetLastError.KERNEL32(004101D8,00000000), ref: 004884BB
                      • GetCurrentProcessId.KERNEL32 ref: 0041020B
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Process$Current$ErrorLastTokenWindow$CloseDecrementDuplicateFindHandleInterlockedOpenThread
                      • String ID: Explorer.exe$Shell_TrayWnd$explorer.exe
                      • API String ID: 4183560297-3532235708
                      • Opcode ID: c56adfec535674ca576e142a4ac9449b04e292533528c4430afed4af6d283f5a
                      • Instruction ID: be8b122eed66aad6f11f74666a376d9f1a98933c4bd1c876a67ea79556398a7b
                      • Opcode Fuzzy Hash: c56adfec535674ca576e142a4ac9449b04e292533528c4430afed4af6d283f5a
                      • Instruction Fuzzy Hash: 5531D475604341AFD310EF65D845B9BBBD4BF95760F440A2EF84583391EBB8D848CBA2
                      Function 004500C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 102stringCOMMON
                      Download Yara Rule
                      APIs
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00466206,?), ref: 004500E7
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 0045014A
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      • lstrlenA.KERNEL32 ref: 004501B0
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$ByteCharDecrementEnterInterlockedLeaveMultiWidelstrlen
                      • String ID: 05e$X5e$4e
                      • API String ID: 1028419519-105376989
                      • Opcode ID: 9340a65ed421f1b18003a888ae41755071c25d29f777aa2f3e9e9d1264ad3fef
                      • Instruction ID: 1e28c06f5f18ea6af217a7c636b5b878b6a0391616bcff68535dda93dc9cf994
                      • Opcode Fuzzy Hash: 9340a65ed421f1b18003a888ae41755071c25d29f777aa2f3e9e9d1264ad3fef
                      • Instruction Fuzzy Hash: 5131FC39300A14ABDB249A15CC85B2B7799EB95792F10422FFD039B381CA75AC0CD797
                      Function 00450270 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98stringCOMMON
                      Download Yara Rule
                      APIs
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 004502A5
                      • InterlockedDecrement.KERNEL32 ref: 004502F5
                      • lstrlenA.KERNEL32(?,00000000,00000000), ref: 00450366
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$ByteCharDecrementEnterInterlockedLeaveMultiWidelstrlen
                      • String ID: 05e$X5e$4e
                      • API String ID: 1028419519-105376989
                      • Opcode ID: ad8d0f42ce6184aa6e86794b41d520f4b160ea425be4b733a8d1a693054a2d81
                      • Instruction ID: 02d78f4c54c8c20290bb143d5a13ea0123a0dd11805f057f9c764719378346e5
                      • Opcode Fuzzy Hash: ad8d0f42ce6184aa6e86794b41d520f4b160ea425be4b733a8d1a693054a2d81
                      • Instruction Fuzzy Hash: 4D31AF78200345ABDB14EF198884B2B7799FB95312F10051FFE129B3A2DB34ED0D87A6
                      Function 0045C390 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94stringCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(?), ref: 0045C3B3
                      • lstrlenA.KERNEL32(?,?,?,?,?,?,0045C15D,?,00000000), ref: 0045C3D6
                      • InterlockedDecrement.KERNEL32(?), ref: 0045C401
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$DecrementIncrementlstrlen
                      • String ID: 05e$X5e$4e
                      • API String ID: 1590690830-105376989
                      • Opcode ID: 9732f4ad14eb0908d6e21d2fe83eb2c87a9e3261ec0f4c93f605d761db037860
                      • Instruction ID: 3fb00d3d2af2e0b603467eaaa79b8f7c76100937a9bf09b3446bfc6ec93ef58a
                      • Opcode Fuzzy Hash: 9732f4ad14eb0908d6e21d2fe83eb2c87a9e3261ec0f4c93f605d761db037860
                      • Instruction Fuzzy Hash: 3331C2312003049FCB24EF19D8D0A3BB7A9FB96716F10915FE90397352CB396848DB5A
                      Function 00588750 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 92COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0045B350: InterlockedDecrement.KERNEL32(?), ref: 0045B397
                      • GetTickCount.KERNEL32 ref: 0058878A
                      • GetLogicalDrives.KERNEL32 ref: 00588792
                        • Part of subcall function 0045B5A0: InterlockedDecrement.KERNEL32(?), ref: 0045B626
                        • Part of subcall function 0045B5A0: InterlockedDecrement.KERNEL32(?), ref: 0045B66E
                        • Part of subcall function 0045B5A0: InterlockedIncrement.KERNEL32(?), ref: 0045B6EB
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$Decrement$CountDrivesIncrementLogicalTick
                      • String ID: Xbe$Xbe$hbe$hbe
                      • API String ID: 3979535241-537707418
                      • Opcode ID: 3f4dd9d9763f80955c0ec617c5fd411f851c4bdcae5b3d132326ac53a9acc7f5
                      • Instruction ID: 8cf15325a4660e1451bbbb6f07b9a8cbf42095d892e364f8ef609c2cec735a58
                      • Opcode Fuzzy Hash: 3f4dd9d9763f80955c0ec617c5fd411f851c4bdcae5b3d132326ac53a9acc7f5
                      • Instruction Fuzzy Hash: BE31E130208315ABC750AF54CC51B2A7BA5EBC1B26FD0072EF921A72D2DBB99509C796
                      Function 0058C725 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(00656530), ref: 0058C73C
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0058C751
                        • Part of subcall function 00441906: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00449AEE,00000009,00000000,00000000,00000001,004422A6,00000001,00000074,?,?,00000000,00000001), ref: 00441943
                        • Part of subcall function 00441906: EnterCriticalSection.KERNEL32(?,?,?,00449AEE,00000009,00000000,00000000,00000001,004422A6,00000001,00000074,?,?,00000000,00000001), ref: 0044195E
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0058C780
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0058C7C5
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0058C7EA
                        • Part of subcall function 00441967: LeaveCriticalSection.KERNEL32(?,0043E736,00000009,0043E722,00000000,?,00000000,00000000,00000000), ref: 00441974
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$Decrement$CriticalSection$EnterIncrementInitializeLeave
                      • String ID: 0ee
                      • API String ID: 2133288049-4269291191
                      • Opcode ID: ba354c9198939b69ae7f8d2acbfd18c2cb4a57af830c27be19800aeffb36d9cc
                      • Instruction ID: caf8bd72822a4b3468368155ac11e1f406b20f10173cec20a97c3b4871b375b7
                      • Opcode Fuzzy Hash: ba354c9198939b69ae7f8d2acbfd18c2cb4a57af830c27be19800aeffb36d9cc
                      • Instruction Fuzzy Hash: B921A132105219FADF25BFA59C81A9D3F65FB01B26F20412EF910B61E0DB744A80EF75
                      Function 0043C35A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0043C398
                      • GetSystemMetrics.USER32(00000000), ref: 0043C3B0
                      • GetSystemMetrics.USER32(00000001), ref: 0043C3B7
                      • lstrcpyA.KERNEL32(?,DISPLAY), ref: 0043C3DB
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: System$Metrics$InfoParameterslstrcpy
                      • String ID: B$DISPLAY
                      • API String ID: 1409579217-3316187204
                      • Opcode ID: 38fef00502792f367d027e085625c007667f899ec5089796ac64cc1184392be2
                      • Instruction ID: 39325abfcdaae19621a83b3738590f49b19f52dd5a8d91948fbe7e539cf26804
                      • Opcode Fuzzy Hash: 38fef00502792f367d027e085625c007667f899ec5089796ac64cc1184392be2
                      • Instruction Fuzzy Hash: 91119A72601324EBCF11AF64DCC4A9BBBA8EF0E751F008027FC06EA146D2B5D900CBA4
                      Function 004986C0 Relevance: 9.2, APIs: 6, Instructions: 237stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?), ref: 004986DE
                      • lstrlenW.KERNEL32(?), ref: 00498703
                      • lstrlenW.KERNEL32(756EE0B0), ref: 00498747
                      • InterlockedDecrement.KERNEL32(?), ref: 00498781
                      • InterlockedDecrement.KERNEL32(?), ref: 0049887A
                      • lstrlenW.KERNEL32(?), ref: 0049893A
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: lstrlen$DecrementInterlocked
                      • String ID:
                      • API String ID: 450581559-0
                      • Opcode ID: 79640a3310216609376b3180ff58363890b82254f25ffee98a5967371abd1ce4
                      • Instruction ID: d40d8bcc79b5afe3dbae3c76f5e363e735ec50d57c656b9894214c7475d3198e
                      • Opcode Fuzzy Hash: 79640a3310216609376b3180ff58363890b82254f25ffee98a5967371abd1ce4
                      • Instruction Fuzzy Hash: EC816C756042168F8B14DF68C88096FBBE5FF89314B54893EE946A7300EB34ED09CB96
                      Function 0049A6B0 Relevance: 9.2, APIs: 6, Instructions: 217stringCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,00000100), ref: 0049A6ED
                        • Part of subcall function 0049A620: FindResourceExA.KERNEL32(?,00000006,G`I,?), ref: 0049A641
                        • Part of subcall function 0049A620: LoadResource.KERNEL32(?,00000000), ref: 0049A64D
                      • lstrlenW.KERNEL32(?), ref: 0049A726
                      • InterlockedDecrement.KERNEL32(?), ref: 0049A849
                      • GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?), ref: 0049A879
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 0049A8B7
                      • lstrlenW.KERNEL32(?), ref: 0049A8FE
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: DecrementHandleInterlockedModuleResourcelstrlen$FindLoad
                      • String ID:
                      • API String ID: 1587905534-0
                      • Opcode ID: 6e2760311aeb49fd36ebf11aadcfb7dc3cc843284cf03568224f6f0245a08698
                      • Instruction ID: d3be051d3f8a95963aa1d9d899a55cc41f9e37a1cbe2a76b32c3ec8eabec0a30
                      • Opcode Fuzzy Hash: 6e2760311aeb49fd36ebf11aadcfb7dc3cc843284cf03568224f6f0245a08698
                      • Instruction Fuzzy Hash: AD71BF716046158FCB28DF58D895A2BBBE5FF88304F10857EE8428B341DB75E819CBC6
                      Function 0044C6E1 Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                      Download Yara Rule
                      APIs
                      • GetStringTypeW.KERNEL32(00000001,005E182C,00000001,?,-00000006,00000000,006501B0,?,?,0043E294,00458D8F,00000004), ref: 0044C720
                      • GetStringTypeExA.KERNEL32(00000000,00000001,005E1828,00000001,?,?,?,0043E294,00458D8F,00000004), ref: 0044C73A
                      • GetStringTypeW.KERNEL32(00000100,00000004,00458D8F,0043E294,-00000006,00000000,006501B0,?,?,0043E294,00458D8F,00000004), ref: 0044C761
                      • WideCharToMultiByte.KERNEL32(?,00000220,00000004,00458D8F,00000000,00000000,00000000,00000000,-00000006,00000000,006501B0,?,?,0043E294,00458D8F,00000004), ref: 0044C794
                      • WideCharToMultiByte.KERNEL32(?,00000220,00000004,00458D8F,00000000,00000000,00000000,00000000,?,?,?,?,?,0043E294,00458D8F,00000004), ref: 0044C7FD
                      • GetStringTypeExA.KERNEL32(?,00000100,?,?,?,?,?,?,?,?,0043E294,00458D8F,00000004), ref: 0044C868
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: StringType$ByteCharMultiWide
                      • String ID:
                      • API String ID: 3852931651-0
                      • Opcode ID: cb558af70ef433e8e59c2796537a0a3c1cfd0e92961b8abaf33d97b751c50a9a
                      • Instruction ID: e4d7dcdc2cb935b5439fa2b344918f8fe7d69e368eafd5381e38833f0cc1ca8c
                      • Opcode Fuzzy Hash: cb558af70ef433e8e59c2796537a0a3c1cfd0e92961b8abaf33d97b751c50a9a
                      • Instruction Fuzzy Hash: E551DD3190120AEBDF219FA9DC86DEFBFB8FF49B51F14851AF410A2290D3348951DBA4
                      Function 004A2510 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 105sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000001,?,?,?,?,?,?,?,00000000,6CBB7610), ref: 004A257E
                      • Sleep.KERNEL32(00000001,?,?,?,?,?,?,?,00000000,6CBB7610), ref: 004A2630
                        • Part of subcall function 004A4CA0: InterlockedCompareExchange.KERNEL32(6CBB7610,00000000,?), ref: 004A4CAF
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Sleep$CompareExchangeInterlocked
                      • String ID: <e$ <e$(<e$(<e
                      • API String ID: 2832635430-3227037445
                      • Opcode ID: 0c4ebb007fded9bf7479f442ff2ab77741357983565e34ca0408918e0f34b671
                      • Instruction ID: 637bb7527a53aba984f1bb7807581738d07e05ab5fdc0fa22ed4b67199e7fc5e
                      • Opcode Fuzzy Hash: 0c4ebb007fded9bf7479f442ff2ab77741357983565e34ca0408918e0f34b671
                      • Instruction Fuzzy Hash: 00316CA1EC131039F7302E197D87B0D160387B2F5AF454037F9467A3E2E5CA4A2852AE
                      Function 004386DB Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayGetDim.OLEAUT32(?), ref: 004386EF
                      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00438703
                      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00438718
                      • SafeArrayRedim.OLEAUT32(?,?), ref: 00438744
                      • VariantClear.OLEAUT32(?), ref: 00438753
                      • SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 00438770
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ArraySafe$Bound$ClearCreateRedimVariant
                      • String ID:
                      • API String ID: 3151960920-0
                      • Opcode ID: 7f7ab4373a297cd22667af6f76ce253a6d5723597dcaf595dac13738e55fa4d6
                      • Instruction ID: 9001604a7f04ce6809855cd894f7585b4d8a85e99184e258d6b92f7d3755425c
                      • Opcode Fuzzy Hash: 7f7ab4373a297cd22667af6f76ce253a6d5723597dcaf595dac13738e55fa4d6
                      • Instruction Fuzzy Hash: B6116D71910309BFCB20AFA0CC45A9EBBB9EF18301F10882BF556D6520DB74EA84DB50
                      Function 004624F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 196stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?), ref: 004625B8
                        • Part of subcall function 0045A260: FindResourceExA.KERNEL32(006501B0,00000006,00650231,006501B0), ref: 0045A281
                        • Part of subcall function 0045A260: LoadResource.KERNEL32(006501B0,00000000), ref: 0045A28D
                        • Part of subcall function 00456F00: InterlockedDecrement.KERNEL32(-0000000C), ref: 00456F61
                      • InterlockedIncrement.KERNEL32(?), ref: 00462690
                      • InterlockedDecrement.KERNEL32(?), ref: 004626CD
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$DecrementResource$FindIncrementLoadlstrlen
                      • String ID: @4e$h4e
                      • API String ID: 3419329819-4164473680
                      • Opcode ID: f22198d71f2d657c29430890ba5fd576159f60529a016a9338939a0f3b7fb2e9
                      • Instruction ID: 0b8a1b031409dbd1e05ac6ae121431e4e8ac0e06e0a8bbed2fd10b622e142823
                      • Opcode Fuzzy Hash: f22198d71f2d657c29430890ba5fd576159f60529a016a9338939a0f3b7fb2e9
                      • Instruction Fuzzy Hash: BD610671604A42ABCB24DF14C991B7BB3A9FF94704F10462EF95287381EBB8DD098797
                      Function 0040A110 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 130libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,tpacketv.sys,00000000), ref: 0040A15D
                      • GetProcAddress.KERNEL32(00000000,GetFileAttributesExW), ref: 0040A16D
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: GetFileAttributesExW$kernel32.dll$tpacketv.sys
                      • API String ID: 1646373207-2898633431
                      • Opcode ID: e175020fd6a0a685faee51c9315dbb065d94e82ff4ddd7349de4c225992f04a9
                      • Instruction ID: bed03636c0dadc371790df70e06d78dfb07f92853fbb745e3162e0f5ddd073d3
                      • Opcode Fuzzy Hash: e175020fd6a0a685faee51c9315dbb065d94e82ff4ddd7349de4c225992f04a9
                      • Instruction Fuzzy Hash: 9F413D753083409FD320DF29D840BABB7E5AF89314F04897EE948D7391EA34E814CB56
                      Function 0043E004 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(00656530), ref: 0043E04D
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0043E05C
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0043E08F
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0043E12B
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$Decrement$Increment
                      • String ID: 0ee
                      • API String ID: 2574743344-4269291191
                      • Opcode ID: 2b9e91f5daeed369d6307bcad66f9b1d4778fee05d329a479349a056d97c2131
                      • Instruction ID: d1ff978743780f8fc18d0404c31ed7a8c9a67b1942b3fa0c6f330cc3f8ecc973
                      • Opcode Fuzzy Hash: 2b9e91f5daeed369d6307bcad66f9b1d4778fee05d329a479349a056d97c2131
                      • Instruction Fuzzy Hash: 4A313731403224EBDF246F72DC04A9F3B76EB097A5F64212BF001562E1E3B98D81C799
                      Function 0058C5F1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(00656530), ref: 0058C635
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0058C644
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0058C677
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0058C70F
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$Decrement$Increment
                      • String ID: 0ee
                      • API String ID: 2574743344-4269291191
                      • Opcode ID: d91d950e6abe8777996fb47b87a9ad7e04fd4c5fdd2b7e70b939eeb6685f74ec
                      • Instruction ID: 193fdb7ae144daab0d16b13f144f2dffde357956f46db1516057e9819269c5ac
                      • Opcode Fuzzy Hash: d91d950e6abe8777996fb47b87a9ad7e04fd4c5fdd2b7e70b939eeb6685f74ec
                      • Instruction Fuzzy Hash: 96312570900215BFFB216B6ADC46BAA3FA4FB01761F24106AFD017A191EA744980DB64
                      Function 00452660 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 118COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 0045269D
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      • InterlockedDecrement.KERNEL32(?), ref: 0045270C
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalDecrementInterlockedSection$EnterLeave
                      • String ID: 05e$X5e$4e
                      • API String ID: 1158270854-105376989
                      • Opcode ID: ea6696d09bad12d51860dea9dc5afe913775ab0b11ce2d41b10a6dec737c2de7
                      • Instruction ID: 29366c2bbe9dbed4d6def0588085213a471c23e63c560c37842348d5cc20e4b1
                      • Opcode Fuzzy Hash: ea6696d09bad12d51860dea9dc5afe913775ab0b11ce2d41b10a6dec737c2de7
                      • Instruction Fuzzy Hash: AB31E0356006149FCB24EE18C980A2BB3D5EB8A345F10042FED42DB346CBA8FE4DC796
                      Function 004563F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 00456441
                      • InterlockedDecrement.KERNEL32(?), ref: 0045648C
                      • InterlockedIncrement.KERNEL32(?), ref: 00456507
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$CriticalDecrementSection$EnterIncrementLeave
                      • String ID: @4e$h4e
                      • API String ID: 759824558-4164473680
                      • Opcode ID: 3be8f2cbd46596726705977935a3562fe8dd70fe937fc8873c4e68fafca0cde0
                      • Instruction ID: 4394a02a6d88f84bec3bc7eab79de8442b74f18ed818d04f10150168f8ec8506
                      • Opcode Fuzzy Hash: 3be8f2cbd46596726705977935a3562fe8dd70fe937fc8873c4e68fafca0cde0
                      • Instruction Fuzzy Hash: 3F31E5313011049B9B249F19D89463FB3AAFB86316B91813FED028B352DB38AC08C75E
                      Function 00410600 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101processCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004559D0: lstrlenW.KERNEL32(?,?,0065084C,006501B0,00650230,00000000), ref: 00455A48
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 004106FC
                      • CloseHandle.KERNEL32(?), ref: 00410727
                      • GetLastError.KERNEL32 ref: 0041072F
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseCreateErrorHandleLastProcesslstrlen
                      • String ID: "%s" %s$D
                      • API String ID: 1843849325-3971972636
                      • Opcode ID: 6085411ed1d97d28a022ae281bd62b865d1e0e547678a98799284f62e0fcb00b
                      • Instruction ID: ead0a8d0262c06563bcc6249dbd2e21812513c488c79805c104a2615e58c2ee4
                      • Opcode Fuzzy Hash: 6085411ed1d97d28a022ae281bd62b865d1e0e547678a98799284f62e0fcb00b
                      • Instruction Fuzzy Hash: 6B41A0B5644741AFD324CF14C841BABB7E4BBC4714F004A2DBA99973D0E778A948CB97
                      Function 004301D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      • DeviceIoControl.KERNEL32(00000000,?,?,?,00000000,00000000,?,00000000), ref: 00430238
                      Strings
                      • [CTSDEncryptDrv::SetTargetProcessEx 2] 1004 [0x%lx], xrefs: 0043024C
                      • NotifyEncDrv, xrefs: 004301E9, 00430251, 00430284
                      • [CTSDEncryptDrv::SetTargetProcessEx 2 size[%d]] 1000, xrefs: 004301E4
                      • [CTSDEncryptDrv::SetTargetProcessEx 2] 1005, xrefs: 0043027F
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ControlDevice
                      • String ID: NotifyEncDrv$[CTSDEncryptDrv::SetTargetProcessEx 2 size[%d]] 1000$[CTSDEncryptDrv::SetTargetProcessEx 2] 1004 [0x%lx]$[CTSDEncryptDrv::SetTargetProcessEx 2] 1005
                      • API String ID: 2352790924-1476003780
                      • Opcode ID: 964733a23a90a14424eea98cdbd1fc702a3ddf66acf7ed58b7c96a08b151326d
                      • Instruction ID: 153b6057dccfe85765d715f4e1b1960739007f2ce0fa59036f6b1f2586f79d7f
                      • Opcode Fuzzy Hash: 964733a23a90a14424eea98cdbd1fc702a3ddf66acf7ed58b7c96a08b151326d
                      • Instruction Fuzzy Hash: B61127313403252BE220EE59BC45F27779AEF98B66F05425EBA41932C2EB64DC0487A6
                      Function 004746C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registrylibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(advapi32.dll,?,0047311C,00000003,00000000,756F1760,00000000,000000FF,00472D17,00653624,00653628), ref: 00474716
                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 00474726
                      • RegCloseKey.ADVAPI32(756F1760,?,0047311C,00000003,00000000,756F1760,00000000,000000FF,00472D17,00653624,00653628), ref: 00474738
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressCloseHandleModuleProc
                      • String ID: RegDeleteKeyExA$advapi32.dll
                      • API String ID: 4190037839-1846899949
                      • Opcode ID: cc0b4438fc80a78adf153e9618e4cccca9bf736b477eaa8a50c996e9d3b50f5a
                      • Instruction ID: c2e0f29356a36a8f1e8f8d21b6361d877d4012c2effa9cb1c4b0a70d58308caa
                      • Opcode Fuzzy Hash: cc0b4438fc80a78adf153e9618e4cccca9bf736b477eaa8a50c996e9d3b50f5a
                      • Instruction Fuzzy Hash: 2E014BB46013118BE730CF24D8887AABBD4EB66701F20C92FE88EC7750D7B8D8408B19
                      Function 00424530 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,004244C0,00000000,?,00000000,?,?,00650230,00000000,?,?,?,?,?,00000000), ref: 00424552
                      • GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 0042455E
                      • GetCurrentProcessId.KERNEL32(00000000,?,004244C0,00000000,?,00000000,?,?,00650230,00000000,?,?,?,?,?,00000000), ref: 00424578
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressCurrentHandleModuleProcProcess
                      • String ID: ProcessIdToSessionId$kernel32.dll
                      • API String ID: 4190356694-3889420803
                      • Opcode ID: 6b7a0d47cace453a5ee864fc27ae9110df44de95bbbd74cef4c5f78f976665fe
                      • Instruction ID: b92906de0f9da0451ca3a124118d3e217abb5ea8269aadd6cee0e702d1ebab3a
                      • Opcode Fuzzy Hash: 6b7a0d47cace453a5ee864fc27ae9110df44de95bbbd74cef4c5f78f976665fe
                      • Instruction Fuzzy Hash: 18F0C9B5705300ABEB58CFA4FD4A51637E6EF98302F24582EF946C2650E7B4C840AB14
                      Function 00474660 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25registrylibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(advapi32.dll,756F1760,00472EE7), ref: 00474688
                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 00474698
                      • RegCloseKey.ADVAPI32(00000001,756F1760,00472EE7), ref: 004746AA
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressCloseHandleModuleProc
                      • String ID: RegDeleteKeyExA$advapi32.dll
                      • API String ID: 4190037839-1846899949
                      • Opcode ID: ea25170d8836f3871daa8083e87e36d227c873f73813c927219bedb557e1d86f
                      • Instruction ID: 6e1d4d0d6ab78d9e411570e7b2c911c94962a10e2895512ea9226c3422832877
                      • Opcode Fuzzy Hash: ea25170d8836f3871daa8083e87e36d227c873f73813c927219bedb557e1d86f
                      • Instruction Fuzzy Hash: BCF0A5B16013118FE7209F64F8087927BE9AB15B42F04852FA84AD7390DBB999548B98
                      Function 00462150 Relevance: 7.7, APIs: 5, Instructions: 151stringCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(?), ref: 0046218E
                      • lstrlenW.KERNEL32 ref: 004621A7
                      • InterlockedIncrement.KERNEL32(?), ref: 0046227D
                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,005CE2CF,000000FF), ref: 00462295
                      • InterlockedDecrement.KERNEL32(?), ref: 004622EC
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$Incrementlstrlen$Decrement
                      • String ID:
                      • API String ID: 3362539960-0
                      • Opcode ID: a31ccc6e20355fedbd2fbe3d8df138d3975bbf5acc8e5eee740227ea0ade82ac
                      • Instruction ID: 82c4f8d71c40bee0d6fc24b91898bdc9e189c914d44cd773755725dd63e65b4f
                      • Opcode Fuzzy Hash: a31ccc6e20355fedbd2fbe3d8df138d3975bbf5acc8e5eee740227ea0ade82ac
                      • Instruction Fuzzy Hash: F251CE706047469FCB14DF18C89495EB7E5FF88304F508A2EE8569B350E778EE08CB82
                      Function 00462320 Relevance: 7.7, APIs: 5, Instructions: 151stringCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(?), ref: 0046235E
                      • lstrlenW.KERNEL32(?), ref: 00462377
                      • InterlockedIncrement.KERNEL32(?), ref: 0046244D
                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,005CE2FF,000000FF), ref: 00462465
                      • InterlockedDecrement.KERNEL32(?), ref: 004624BC
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$Incrementlstrlen$Decrement
                      • String ID:
                      • API String ID: 3362539960-0
                      • Opcode ID: 028aa0b0a3623d890d3036f113d5ee8a584f04f1c59d2d6bd1abfa50c3dd935c
                      • Instruction ID: aa41925a1e4db8ffdf9a89b77c54536442eaab87ad1fd240e9dcfa38203e4ab0
                      • Opcode Fuzzy Hash: 028aa0b0a3623d890d3036f113d5ee8a584f04f1c59d2d6bd1abfa50c3dd935c
                      • Instruction Fuzzy Hash: CA519B706006469FCB14DF29C88496EB7E5FF48314F50892EE8569B350EB78EE48CB82
                      Function 004765E0 Relevance: 7.6, APIs: 5, Instructions: 130registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00476608
                      • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,000000FF), ref: 00476650
                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004766CB
                      • RegCloseKey.ADVAPI32 ref: 004766FE
                      • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,000000FF), ref: 00476718
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Close$EnumInfoOpenQueryValue
                      • String ID:
                      • API String ID: 1662924112-0
                      • Opcode ID: d32dd77797dbcbc95595e1359789ca1a6454225c2bc4568ebc7f9ef22d6695e7
                      • Instruction ID: c59ab9b3b1100bf81b3d6be476f74d30e65d16ed0cb80423019e86cb6785ae6c
                      • Opcode Fuzzy Hash: d32dd77797dbcbc95595e1359789ca1a6454225c2bc4568ebc7f9ef22d6695e7
                      • Instruction Fuzzy Hash: CE311531604604AFD324DF18D884AABB7EDEBC4754F418A2FF54A93201E775ED058BA2
                      Function 004763B0 Relevance: 7.6, APIs: 5, Instructions: 123registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 004763D8
                      • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000FF), ref: 00476420
                      • RegEnumKeyA.ADVAPI32(?,00000000,00000000,?), ref: 00476484
                      • RegCloseKey.ADVAPI32 ref: 004764B7
                      • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000FF), ref: 004764D1
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Close$EnumInfoOpenQuery
                      • String ID:
                      • API String ID: 1383594502-0
                      • Opcode ID: 0244a7af07a1f81920ec2ede9b29af75c9427eefd0c6b6f3149c17aa58e3d2ff
                      • Instruction ID: 3c50f7644533001fc8802afdfd2e469acefca5dabf4f05fae685026e07854513
                      • Opcode Fuzzy Hash: 0244a7af07a1f81920ec2ede9b29af75c9427eefd0c6b6f3149c17aa58e3d2ff
                      • Instruction Fuzzy Hash: 6E31D8715046056BC320DE54DC848BBB7DDFB85714F158A2EF98BD3201D73AED0987AA
                      Function 0040C520 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 39b578fcb4ba4934c8b16ace7c7bd7fd3c2d49d9740d551a707296bd63919d22
                      • Instruction ID: 9277b9291a2837a5427285b68bedba9cf469b8059ea96fc6ff5662b4ddf36791
                      • Opcode Fuzzy Hash: 39b578fcb4ba4934c8b16ace7c7bd7fd3c2d49d9740d551a707296bd63919d22
                      • Instruction Fuzzy Hash: 44218D76605311ABD724DB68ED81A6B73E8AFD4710B044A3EF842A3290E738F8099765
                      Function 004884E0 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32 ref: 00488506
                      • GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel)), ref: 0048852A
                      • DuplicateTokenEx.ADVAPI32(?,000F01FF,00000000,00000001,00000001,00000000), ref: 0048856E
                      • GetLastError.KERNEL32 ref: 0048857C
                      • SetLastError.KERNEL32(0000007F), ref: 00488593
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Token$ErrorInformationLast$Duplicate
                      • String ID:
                      • API String ID: 885298127-0
                      • Opcode ID: 20b4b3908cd628a41de976b9eb634b5edf15a6a3873b26fd03dc7f10fb22e724
                      • Instruction ID: b9bb75280c2e00b9d320f96411fbf722f16063425c81d32a81275beeb47634e1
                      • Opcode Fuzzy Hash: 20b4b3908cd628a41de976b9eb634b5edf15a6a3873b26fd03dc7f10fb22e724
                      • Instruction Fuzzy Hash: 62118171244302ABD720EF15ED45B9BB3E8AF84B45F44081EF644D3280E774D9098B66
                      Function 00442281 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000103,7FFFFFFF,00441417,0044133A,00000000,?,?,00000000,00000001), ref: 00442283
                      • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00442291
                      • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 004422DD
                        • Part of subcall function 00449A38: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,004422A6,00000001,00000074,?,?,00000000,00000001), ref: 00449B2E
                      • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 004422B5
                      • GetCurrentThreadId.KERNEL32 ref: 004422C6
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLastValue$AllocCurrentHeapThread
                      • String ID:
                      • API String ID: 2020098873-0
                      • Opcode ID: 381322148b4a2a087ea8ad1879fb3e3ebaa32db8405c3a81a379f9a6746c169f
                      • Instruction ID: dd7f8e76cd4417d2ae29c860160042520f3a778d254fa7f8a5fdf5922845cf87
                      • Opcode Fuzzy Hash: 381322148b4a2a087ea8ad1879fb3e3ebaa32db8405c3a81a379f9a6746c169f
                      • Instruction Fuzzy Hash: 21F024365027125BE3303B35BC0961B3B50FF01B71B85022BF582E62E0DBE88841A790
                      Function 00488650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 147COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004380D0: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00488375,00417E99), ref: 00438104
                      • LookupAccountSidW.ADVAPI32(00000000,?,?,00000000,?,?,?), ref: 0048871A
                      • ConvertSidToStringSidW.ADVAPI32 ref: 004887CD
                      • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00488809
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AccountConvertFreeLibraryLoadLocalLookupString
                      • String ID: %s\%s
                      • API String ID: 3422593332-4073750446
                      • Opcode ID: c13d54e2c2a2279197e39030449a5d60712fb5d815e7ec93557e86028a7ec67d
                      • Instruction ID: 8925d719d74e0fc2b4b3240d7ec1c10202db5ea935744b4c8e7efa1bbe26d798
                      • Opcode Fuzzy Hash: c13d54e2c2a2279197e39030449a5d60712fb5d815e7ec93557e86028a7ec67d
                      • Instruction Fuzzy Hash: 024162726043415BE720EB64DC41BAFB3E9EB88741F844C2DF94997341EF79E90887A6
                      Function 00452540 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 101COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32 ref: 004525BB
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: 05e$X5e$4e
                      • API String ID: 1807080765-105376989
                      • Opcode ID: f2496673fc1c40c5b938f0ff1a71f18bb328621584e1376055fc22b5f57c9fc5
                      • Instruction ID: 5b8660c6b1c856daaeeb812f1ae44a0bc958db56ff16fa8b016e85d3f483bef7
                      • Opcode Fuzzy Hash: f2496673fc1c40c5b938f0ff1a71f18bb328621584e1376055fc22b5f57c9fc5
                      • Instruction Fuzzy Hash: F231A13470420A9FCB18EE28C59052FB796FB85315F50452FED12A7352EA74FD0D8B5A
                      Function 0058C4F3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(00656530), ref: 0058C565
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0058C574
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0058C5D7
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$Decrement$Increment
                      • String ID: 0ee
                      • API String ID: 2574743344-4269291191
                      • Opcode ID: 364980ef22eb40395d1c0b2facb4967b4d30595c527f6b4c6e01001591abde2c
                      • Instruction ID: 6b537835b81f666a5c59f1cf2c7b0f170d3fa742e651d034e63c0782acaceae3
                      • Opcode Fuzzy Hash: 364980ef22eb40395d1c0b2facb4967b4d30595c527f6b4c6e01001591abde2c
                      • Instruction Fuzzy Hash: F631D2B6400209EBDF20BF24D8042A97F64FB04755F94C02BFC55AA145E774AAC2CFB9
                      Function 004784A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,00000104,00000104), ref: 004784CA
                      • GetLastError.KERNEL32 ref: 00478575
                      • SetLastError.KERNEL32(00000000), ref: 00478588
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$FileModuleName
                      • String ID: %s\%s
                      • API String ID: 1026760046-4073750446
                      • Opcode ID: 4965e86e703f95824dc3b347c566a8ff60ebecc4e8f56b0895813d5beecfd4fd
                      • Instruction ID: 6155c0a4d5edd11587e65b18d92284da1f86fbd2456917ff04eb3d512e2b2011
                      • Opcode Fuzzy Hash: 4965e86e703f95824dc3b347c566a8ff60ebecc4e8f56b0895813d5beecfd4fd
                      • Instruction Fuzzy Hash: B121F672A453106BE338DA3598457EB7789ABC0B50F19C63EB95A93280DE78DC048696
                      Function 004785A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,00000104,00000104), ref: 004785CA
                      • GetLastError.KERNEL32 ref: 00478675
                      • SetLastError.KERNEL32(00000000), ref: 00478688
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$FileModuleName
                      • String ID: %s\%s
                      • API String ID: 1026760046-4073750446
                      • Opcode ID: 4965e86e703f95824dc3b347c566a8ff60ebecc4e8f56b0895813d5beecfd4fd
                      • Instruction ID: f2b45cd9f4d51bf0704ec8b18657fc6ce094c71fa4254eeaacfc3fda2a06d570
                      • Opcode Fuzzy Hash: 4965e86e703f95824dc3b347c566a8ff60ebecc4e8f56b0895813d5beecfd4fd
                      • Instruction Fuzzy Hash: E621F872A443106BD338D6358C45BEB7789ABC0750F19CA3EBA5993284DE79DC0486D5
                      Function 00458110 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32 ref: 0045816B
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: @4e$b}@\_$h4e
                      • API String ID: 1807080765-3980480479
                      • Opcode ID: 6649c9187f37b686761df89de52caff334e32c9185e72093086156c01ab61402
                      • Instruction ID: 6885450050d070e89517c0b48644d1e8b059c2104e8ff76701ae70021c06b703
                      • Opcode Fuzzy Hash: 6649c9187f37b686761df89de52caff334e32c9185e72093086156c01ab61402
                      • Instruction Fuzzy Hash: 2321E631200604DB8B24AF15D88096BB795FB94316F54841FFD46AB392DE389C4EC76A
                      Function 00454330 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 00454372
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: 05e$X5e$4e
                      • API String ID: 1807080765-105376989
                      • Opcode ID: de7a32a9d7f55cd3890e7703d5061d5d23f5102dab355519d986e7a7897bce4d
                      • Instruction ID: 4fec5712fca9070ea09bb86e739e35e406cb3c389e45243e3c2a3b78d34794c9
                      • Opcode Fuzzy Hash: de7a32a9d7f55cd3890e7703d5061d5d23f5102dab355519d986e7a7897bce4d
                      • Instruction Fuzzy Hash: 57214771700150ABDB20AE15888053FB798EB8439EF14502BED02DF323EA2CDC9D83A9
                      Function 0045C020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32 ref: 0045C069
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: 05e$X5e$4e
                      • API String ID: 1807080765-105376989
                      • Opcode ID: 21cf5ad7c93226b861204dc4e3fae4f750ab719dc56db723a8a0f5a3db73a7e1
                      • Instruction ID: ae96ea7332d1742124176da70999df9cba85a79cd40f35bfe9f85cc342e0a689
                      • Opcode Fuzzy Hash: 21cf5ad7c93226b861204dc4e3fae4f750ab719dc56db723a8a0f5a3db73a7e1
                      • Instruction Fuzzy Hash: E121E6B1604302DFDB14DF9CC8C0A2BB795EF94755F10412FEA1687392EB24AC0C8B5A
                      Function 00454240 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 00454284
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: 05e$X5e$4e
                      • API String ID: 1807080765-105376989
                      • Opcode ID: 277d1b347b181b52acb757948d7807abfd75cc3f9a68be38294c48cc2522d90e
                      • Instruction ID: f3007f097b2fbedb7a1e73db32458244cd17dd8ea101e7079bc4d6e707285f0f
                      • Opcode Fuzzy Hash: 277d1b347b181b52acb757948d7807abfd75cc3f9a68be38294c48cc2522d90e
                      • Instruction Fuzzy Hash: F02175316001644BCB20AA68888497FB7C5FBD538EF5450ABFD428F343DA28DD8CC3A9
                      Function 00454500 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 00454544
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: 05e$X5e$4e
                      • API String ID: 1807080765-105376989
                      • Opcode ID: 7c15210f0867a67a2cc442db37e64e4d2007b24303c083eee36e3eb836dc1bf9
                      • Instruction ID: 21d02fb9002443f31f625792c2f1b62670dd74bb824966d0bdb4e4c58306ae4e
                      • Opcode Fuzzy Hash: 7c15210f0867a67a2cc442db37e64e4d2007b24303c083eee36e3eb836dc1bf9
                      • Instruction Fuzzy Hash: 1921F7716011486BDB14AA25888497F779AFFC430BF54542BFF069F383EA28ED888359
                      Function 0043E141 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(00656530), ref: 0043E19F
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0043E1AE
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0043E20C
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$Decrement$Increment
                      • String ID: 0ee
                      • API String ID: 2574743344-4269291191
                      • Opcode ID: 0f040ec68cc0a01bf165d915d2c45e5834f5ee4b6cb46a52c3a8430ef3da8096
                      • Instruction ID: 92c90b419664de73eed4163a05478660c041dd3a6141c6aa2780ed5c2ae00b32
                      • Opcode Fuzzy Hash: 0f040ec68cc0a01bf165d915d2c45e5834f5ee4b6cb46a52c3a8430ef3da8096
                      • Instruction Fuzzy Hash: 0721E276001205EBEF20AF56D8442AA77A8EB08B11F50D01BFC559A3C4E7788EC2DB9D
                      Function 004786A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,00000104,00000104), ref: 004786CB
                      • GetLastError.KERNEL32 ref: 00478762
                      • SetLastError.KERNEL32(00000000), ref: 00478775
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast$FileModuleName
                      • String ID: %s\%s
                      • API String ID: 1026760046-4073750446
                      • Opcode ID: 8b1025d5e3fc35c8861bcc6d9fb23ee525a93b8b340020fba712857cf52a3e1d
                      • Instruction ID: cdc4c772c317544571cd2b1892ac28ada88a6357734f3518ba40171a58b232d7
                      • Opcode Fuzzy Hash: 8b1025d5e3fc35c8861bcc6d9fb23ee525a93b8b340020fba712857cf52a3e1d
                      • Instruction Fuzzy Hash: 1D210D72A44300ABD3249771DC84BABB398AF94751F14C53EF90E96340EF78D8058796
                      Function 00456520 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,00000000,006501B0,00650230,00000000,004064BC,00000000,00650230,00000000,software\TEC\Ocular.3\agent\debug,PATH,00000000,00650230,?,00650230,?), ref: 00456533
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 0045655E
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeavelstrlen
                      • String ID: @4e$h4e
                      • API String ID: 837907812-4164473680
                      • Opcode ID: a4330f62b43c7141c8a0b0a88425f2a0ed1a2d72af14484f7ece819b88f1528a
                      • Instruction ID: 9d0650d2cb2fec629626706144fd8c257aa6d7a416f1bfb05647fbf47a87dff4
                      • Opcode Fuzzy Hash: a4330f62b43c7141c8a0b0a88425f2a0ed1a2d72af14484f7ece819b88f1528a
                      • Instruction Fuzzy Hash: 54213E3024051CAB9B30AE15E48463FB3D5FB85706F91002FED0287356EF686D0C835A
                      Function 00452150 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 00452179
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: 05e$X5e$4e
                      • API String ID: 1807080765-105376989
                      • Opcode ID: e582e0d8cce315dbc510d2789684da7dd3eb7e1b2e77125e19c4df6b5c0adf99
                      • Instruction ID: 95b009a2ba650736f0951db4b9711c1abc712525b6e97609ac6f51abe58130f7
                      • Opcode Fuzzy Hash: e582e0d8cce315dbc510d2789684da7dd3eb7e1b2e77125e19c4df6b5c0adf99
                      • Instruction Fuzzy Hash: AE110635205950EFD720AA09854466BBB85EF57316F20541FEF0197353CBA8AC8D87AA
                      Function 004504A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32 ref: 004504BA
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: 05e$X5e$4e
                      • API String ID: 1807080765-105376989
                      • Opcode ID: f7ae991b45995fccd8d839c98e09eee7ccc396394cf6b643739b72a753ce07f0
                      • Instruction ID: ab9e62b2537a876c7067db7cbe0804ada1ea59f66e00e3878b8175c9a86f3881
                      • Opcode Fuzzy Hash: f7ae991b45995fccd8d839c98e09eee7ccc396394cf6b643739b72a753ce07f0
                      • Instruction Fuzzy Hash: 09114C78104115AFD728DF0DF494A7A3795EFE8310B20501FE9C287355EB349C8C8B54
                      Function 004561A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 004561CA
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: @4e$XZE$h4e
                      • API String ID: 1807080765-1967504815
                      • Opcode ID: ef8a61f1ba94c86038db6627370ff64e65692257c6f04395dde286c12ccfadc4
                      • Instruction ID: a6b70cb25e6a795cc85a6f561bac7749036dc33047547f0076804d369fb01816
                      • Opcode Fuzzy Hash: ef8a61f1ba94c86038db6627370ff64e65692257c6f04395dde286c12ccfadc4
                      • Instruction Fuzzy Hash: 5B012D326014205797217A0CE545AAF635AEBE4316F92986FF901A7353CB38AC8942BA
                      Function 0040A2F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040A329
                      • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 0040A339
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: GetLongPathNameA$kernel32.dll
                      • API String ID: 1646373207-3214324292
                      • Opcode ID: 10370d522c2a983c0285e79508b21114d5a36f91196e8e4bfb95cbc4584e6a91
                      • Instruction ID: a133ca7036c58d3eb7e2003f647bc5ba8afe66e2422a91a108ec6bef8b64264e
                      • Opcode Fuzzy Hash: 10370d522c2a983c0285e79508b21114d5a36f91196e8e4bfb95cbc4584e6a91
                      • Instruction Fuzzy Hash: 2D018835308301ABE720DF69FC44A6FB7A8AB81760F04483AFC01E7280D738E8529666
                      Function 0040A380 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040A3B9
                      • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A3C9
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: GetLongPathNameW$kernel32.dll
                      • API String ID: 1646373207-568771998
                      • Opcode ID: cb19e691cecd85b5b416da602113f8264058739c91b717ecd5301c0092d70ad8
                      • Instruction ID: bf27aa9a607698f5e79678870e9250341998fec061e35937d7a11abaf37df3d0
                      • Opcode Fuzzy Hash: cb19e691cecd85b5b416da602113f8264058739c91b717ecd5301c0092d70ad8
                      • Instruction Fuzzy Hash: A6014C75304701ABE720DF65FC45A6B73A8AF80750F04443AF805E3281D678EC56A6A6
                      Function 0044A421 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(00656530), ref: 0044A447
                      • InterlockedDecrement.KERNEL32(00656530), ref: 0044A45C
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$DecrementIncrement
                      • String ID: 0ee
                      • API String ID: 2172605799-4269291191
                      • Opcode ID: b22ebdb971721ec966d48bb858a74e40ce3a06ca7d44b63a5c9e12b8f5116585
                      • Instruction ID: a083aa8d2002c0655567c316b2ee6ab8fd33ab79cea879bc9477e0473f5294ac
                      • Opcode Fuzzy Hash: b22ebdb971721ec966d48bb858a74e40ce3a06ca7d44b63a5c9e12b8f5116585
                      • Instruction Fuzzy Hash: 43F04C321817115FF720AF55FC8994F6345FF90316F10003FF00095150D7E88955CA6B
                      Function 00450560 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 0045056F
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: 05e$X5e$4e
                      • API String ID: 1807080765-105376989
                      • Opcode ID: 46c0d373fc2e0989e341adcb724bc5540c7a65c7912ab31630fa1dac101b4e20
                      • Instruction ID: c7e514f21d2b0007a91085acadf1b01246d35056a14e33a81ab204b5437f9641
                      • Opcode Fuzzy Hash: 46c0d373fc2e0989e341adcb724bc5540c7a65c7912ab31630fa1dac101b4e20
                      • Instruction Fuzzy Hash: 7AF0F677501038379730F70CA400ADB1649EBB4352F40682FFA43E2292FE589EC886EE
                      Function 004142A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004142AE
                      • GetProcAddress.KERNEL32(00000000,SetFilePointerEx), ref: 004142BA
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: SetFilePointerEx$kernel32.dll
                      • API String ID: 1646373207-2655074446
                      • Opcode ID: 2b3850a18664e9663bcb29cd25e920ea407cef2e833f61dc0315f7b34816d948
                      • Instruction ID: fb4de0f36e8eb645324842d0462a8c901914d284478a0d7723ac953534a383ba
                      • Opcode Fuzzy Hash: 2b3850a18664e9663bcb29cd25e920ea407cef2e833f61dc0315f7b34816d948
                      • Instruction Fuzzy Hash: 60E065B2314342AB8704CFA4EC44E2B73EABBC8702F084A2DB105D3250DB30D844CB25
                      Function 00432670 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(setupapi.dll), ref: 0043267E
                      • GetProcAddress.KERNEL32(00000000,InstallHinfSectionA), ref: 0043268E
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: InstallHinfSectionA$setupapi.dll
                      • API String ID: 1646373207-1252752664
                      • Opcode ID: 765db9baba2ca4544e759c64e8e1f75af3f9c79b288e9d6cc6c76ebe8d8ffec5
                      • Instruction ID: e259fdb1398ab3f6c9d322631b2ff9527c80a57ee561abed6e8775315cf6d3fb
                      • Opcode Fuzzy Hash: 765db9baba2ca4544e759c64e8e1f75af3f9c79b288e9d6cc6c76ebe8d8ffec5
                      • Instruction Fuzzy Hash: 8DE0EDB4304301AF9724DF61ED85E1773EAAF98711F00981EB819D2290DBB4D811DB25
                      Function 004326C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(setupapi.dll), ref: 004326CE
                      • GetProcAddress.KERNEL32(00000000,InstallHinfSectionW), ref: 004326DE
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: InstallHinfSectionW$setupapi.dll
                      • API String ID: 1646373207-3571124930
                      • Opcode ID: d6c88bbbfc03127832acd5c6d2ba20e5be6fe4553605a4a145536df3c6d8dc1e
                      • Instruction ID: ae97eb237437ec43b4a234c9b4ee98129b607c74b99c8bf3d9b3982d7c2f75b0
                      • Opcode Fuzzy Hash: d6c88bbbfc03127832acd5c6d2ba20e5be6fe4553605a4a145536df3c6d8dc1e
                      • Instruction Fuzzy Hash: 72E0C9B4314301BF9724DF65ED5591773AABF98705F00D81EB919C2250DBB4D8049B65
                      Function 00544420 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(wsock32.dll,00000000,00539CE1,?,?,?,?,?,000000FF), ref: 0054443C
                      • GetProcAddress.KERNEL32(00000000,WsControl), ref: 0054444C
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: WsControl$wsock32.dll
                      • API String ID: 2574300362-2399415126
                      • Opcode ID: ff006ed19c7eb763adadeb0b3e74685662e677c83a008a9b5395ad46c6ac1ddd
                      • Instruction ID: a52129df3b5813a4cf6d974ced8bba0832f3c31d4a74293eb5727d741af741bd
                      • Opcode Fuzzy Hash: ff006ed19c7eb763adadeb0b3e74685662e677c83a008a9b5395ad46c6ac1ddd
                      • Instruction Fuzzy Hash: 30D05B71380351479F20AF74BC097553BE5FA04B45F06447BF582D3120DBB0D8818F64
                      Function 00488280 Relevance: 6.3, APIs: 5, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNEL32(00000000), ref: 004882B5
                      • CloseHandle.KERNEL32(00000000), ref: 004882DB
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 0814b9dd170082674a2c9767a992f790b6b314c8cc284a016f5553412db6da7d
                      • Instruction ID: fc12056e39a4cfccf1954574c529b535932d4602ac2caa13fe6761262af44f95
                      • Opcode Fuzzy Hash: 0814b9dd170082674a2c9767a992f790b6b314c8cc284a016f5553412db6da7d
                      • Instruction Fuzzy Hash: B50140367002216B8310AB6ABC0466FB7A99BD4B62F0184BFFD15C3321DA78DD459BA5
                      Function 0049E3E0 Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 0049E491
                      • InterlockedIncrement.KERNEL32(?), ref: 0049E4BD
                      • InterlockedDecrement.KERNEL32(?), ref: 0049E585
                      • InterlockedIncrement.KERNEL32(?), ref: 0049E5B1
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$DecrementIncrement
                      • String ID:
                      • API String ID: 2172605799-0
                      • Opcode ID: d4d04d09a60516b742022405046a951d6ae46df53a5ea38c3a9c550139375a0f
                      • Instruction ID: 3a656748db184b29102919751fb0a0a7cce9f3da4a4a68048b50b83774c1f3eb
                      • Opcode Fuzzy Hash: d4d04d09a60516b742022405046a951d6ae46df53a5ea38c3a9c550139375a0f
                      • Instruction Fuzzy Hash: 0B61C1717056058FCF14DF1AD884A2AFBE5FF85324B54466EE8018B351DB39ED08CB85
                      Function 00462760 Relevance: 6.2, APIs: 4, Instructions: 184COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 00462800
                      • InterlockedIncrement.KERNEL32(?), ref: 00462827
                      • InterlockedDecrement.KERNEL32(?), ref: 004628FB
                      • InterlockedIncrement.KERNEL32(?), ref: 00462922
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$DecrementIncrement
                      • String ID:
                      • API String ID: 2172605799-0
                      • Opcode ID: 47d96e0282396cc9b1ba6e6b3bc4e3c421e2c62d15cb0c6e0c671ddea683ee5b
                      • Instruction ID: aa960d71f18b490da1c20e8a0986511aa72772b192ce81045f32e7bfe7b866d6
                      • Opcode Fuzzy Hash: 47d96e0282396cc9b1ba6e6b3bc4e3c421e2c62d15cb0c6e0c671ddea683ee5b
                      • Instruction Fuzzy Hash: D461BD75700A059FCB04DF19D980A2AF3E6FFC4324B14862EE8058B354EB79E909CB92
                      Function 00460380 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 00460419
                      • InterlockedIncrement.KERNEL32(?), ref: 00460440
                      • InterlockedDecrement.KERNEL32(?), ref: 0046050C
                      • InterlockedIncrement.KERNEL32(?), ref: 00460534
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlocked$DecrementIncrement
                      • String ID:
                      • API String ID: 2172605799-0
                      • Opcode ID: bb049dda3ed16fcc6bb2b93104daa45ec0d320e82ff7f98b43575f5bcf441eba
                      • Instruction ID: 96e27123bdf43b4e66e53e70e1108efd240fb32de9974ed547bbe697062436a0
                      • Opcode Fuzzy Hash: bb049dda3ed16fcc6bb2b93104daa45ec0d320e82ff7f98b43575f5bcf441eba
                      • Instruction Fuzzy Hash: 6C619E353016058FCB14DF1AD880A2BB7E5FFD5324B14856EE9068B351EB39ED09CB96
                      Function 0049E1B0 Relevance: 6.2, APIs: 4, Instructions: 181stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(?), ref: 0049E290
                        • Part of subcall function 00495C10: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00653C1D,00653C1D,00000000,00495B79,00653C1D,00000000,00000000,00000000), ref: 00495C27
                      • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00000100), ref: 0049E240
                      • InterlockedIncrement.KERNEL32(?), ref: 0049E365
                      • InterlockedDecrement.KERNEL32(?), ref: 0049E3A3
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Interlockedlstrlen$DecrementHandleIncrementModule
                      • String ID:
                      • API String ID: 1543517206-0
                      • Opcode ID: 32ec2376aea5d660092e6a5c0bd66f16883743be39e06aa9a4ba5c272ffb44f0
                      • Instruction ID: 900bcde17f68f935ac19516a833e5147c5cc3479c60c9282a4bfc3367caf37ae
                      • Opcode Fuzzy Hash: 32ec2376aea5d660092e6a5c0bd66f16883743be39e06aa9a4ba5c272ffb44f0
                      • Instruction Fuzzy Hash: B051D3B16046029BCB24DF16C881A6BBBEABF94704F144A3EF956873C0DB78DC05CB95
                      Function 0045A330 Relevance: 6.2, APIs: 4, Instructions: 174stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0045A260: FindResourceExA.KERNEL32(006501B0,00000006,00650231,006501B0), ref: 0045A281
                        • Part of subcall function 0045A260: LoadResource.KERNEL32(006501B0,00000000), ref: 0045A28D
                      • lstrlenW.KERNEL32(?), ref: 0045A38F
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 0045A456
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 0045A4E5
                      • lstrlenW.KERNEL32(?,?,?,?,?,-00000001), ref: 0045A4F9
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: DecrementInterlockedResourcelstrlen$FindLoad
                      • String ID:
                      • API String ID: 2751884695-0
                      • Opcode ID: ff1bc7a41ad3b8fb36bb62612b258741f53dff8493729a19ddd99cf95353d15f
                      • Instruction ID: 36a505e8dac3f636fe5683c1ea531c79dca7e02b684f573d13eb1f6633b4540a
                      • Opcode Fuzzy Hash: ff1bc7a41ad3b8fb36bb62612b258741f53dff8493729a19ddd99cf95353d15f
                      • Instruction Fuzzy Hash: AD519D3160061A8FCB14EF14C89996FB7A6FF84314F44852EEC0687352DB39E90DCB52
                      Function 00414750 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 166COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CBB7610), ref: 004148D5
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID: Explorer.exe$IExplore.exe$dwm.exe
                      • API String ID: 2962429428-552001724
                      • Opcode ID: c46d6285c3b4cdd40081e61b4607206ce3e3db00214623fd698e06384629d3f2
                      • Instruction ID: d9883e726019121ffb5984ca024f6883d4f1fa8a5d8a97250d5c59913c23dddb
                      • Opcode Fuzzy Hash: c46d6285c3b4cdd40081e61b4607206ce3e3db00214623fd698e06384629d3f2
                      • Instruction Fuzzy Hash: 9151E6755043818BC320EF65D885AAFB7D4FBD4314F140A2EF59587381EB389948C767
                      Function 00466370 Relevance: 6.2, APIs: 4, Instructions: 156registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?,0064FD78,0064FD78,?,00000000), ref: 004663A2
                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000007,00000000,?), ref: 004664C3
                      • RegCloseKey.ADVAPI32(?), ref: 004664D4
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CloseCreateValue
                      • String ID:
                      • API String ID: 1818849710-0
                      • Opcode ID: 008d39c0d4f086386c12876346e11dca18d33c5ec0ef707a267a7946f1dce4d7
                      • Instruction ID: e75e9a8b2e728efe0b80661aa55ddb35706114b3a8514aa9ee4efdb56f870f5a
                      • Opcode Fuzzy Hash: 008d39c0d4f086386c12876346e11dca18d33c5ec0ef707a267a7946f1dce4d7
                      • Instruction Fuzzy Hash: A641D4716042005BD714CE28D881A6FB7D5FBC8358F054A2DF98AE7391EB78EE058796
                      Function 00494280 Relevance: 6.1, APIs: 4, Instructions: 135stringCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(00000000,?,00000000,?), ref: 004942DF
                        • Part of subcall function 00494E40: FindResourceExA.KERNEL32(?,00000006,00650231,?), ref: 00494E61
                        • Part of subcall function 00494E40: LoadResource.KERNEL32(?,00000000), ref: 00494E6D
                      • lstrlenA.KERNEL32(?), ref: 0049430F
                      • GetModuleHandleA.KERNEL32(00000000,?,00000000,-00000001,00000000,?,-00000001), ref: 004943A1
                      • InterlockedDecrement.KERNEL32(?), ref: 00494409
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: HandleModuleResource$DecrementFindInterlockedLoadlstrlen
                      • String ID:
                      • API String ID: 4204874513-0
                      • Opcode ID: c3c007b8c1bbddd6e5b6b01dfc5b40dfe558747eff3fc3eea09fa5de389ce8f4
                      • Instruction ID: 2c53e169ee6a17bd41850789bfc94797335c1028938a5b9d6306d3a02b4b0866
                      • Opcode Fuzzy Hash: c3c007b8c1bbddd6e5b6b01dfc5b40dfe558747eff3fc3eea09fa5de389ce8f4
                      • Instruction Fuzzy Hash: C441D1716083429BDB24DF24D885BAFBBE5FBD4714F004A2EF95587280D778E909CB92
                      Function 004A6120 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 005983C0: LoadLibraryW.KERNEL32(psapi.dll,?,004A556A), ref: 005983F4
                      • OpenProcess.KERNEL32(00000410,00000000,?,00000000,000000FF,00000000,000000FF), ref: 004A619E
                      • OpenProcess.KERNEL32(02000000,00000000,?), ref: 004A61AD
                      • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004A61BC
                      • CloseHandle.KERNEL32(00000000), ref: 004A6255
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: OpenProcess$CloseHandleLibraryLoad
                      • String ID:
                      • API String ID: 57012169-0
                      • Opcode ID: e7e183ca404ccc9d74771aa0676cedb211ce6c1aeb57a5875936ac254bcf99e8
                      • Instruction ID: 9b64d7260647db2592b1f41f19b9a92e497c151a5affdd45b4cc66a484ce82bc
                      • Opcode Fuzzy Hash: e7e183ca404ccc9d74771aa0676cedb211ce6c1aeb57a5875936ac254bcf99e8
                      • Instruction Fuzzy Hash: 3731B3712083466BD720EFA5DC44FABBBD9EF99710F140929F565872C1DBB4E804C7A2
                      Function 00488390 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: aafdfdcf2f45667b0b9a192d70537c7fa12d0907d0ea2c6ac21dc391d8711b06
                      • Instruction ID: f3ec7cac3e9d1c30436d5a393c5424c35393888300a37d8b3bb7a6fdf11f044e
                      • Opcode Fuzzy Hash: aafdfdcf2f45667b0b9a192d70537c7fa12d0907d0ea2c6ac21dc391d8711b06
                      • Instruction Fuzzy Hash: A3219AB22053125B9314EF64EC8492FB7EAFB84B55F950E2EF506C3300EB79E8088B51
                      Function 005BC5F7 Relevance: 6.1, APIs: 4, Instructions: 85stringtimeCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,0040834C,?), ref: 005BC621
                      • GetFileTime.KERNEL32(?,?,?,?,?,?,?,?,0040834C,?), ref: 005BC642
                      • GetFileSize.KERNEL32(?,00000000,?,?,?,?,0040834C,?), ref: 005BC651
                      • GetFileAttributesA.KERNEL32(?,?,?,?,?,0040834C,?), ref: 005BC672
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: File$AttributesSizeTimelstrcpyn
                      • String ID:
                      • API String ID: 1499663573-0
                      • Opcode ID: 26eb375b1890b3f5ba38f30de203f66f252e34ef256f70f52e496d3fe0cf240e
                      • Instruction ID: 49235aa61de71876bb73724110e1c5b89cdf72b4f5d16de16670b55653835266
                      • Opcode Fuzzy Hash: 26eb375b1890b3f5ba38f30de203f66f252e34ef256f70f52e496d3fe0cf240e
                      • Instruction Fuzzy Hash: A4314DB2500605AFD720DFA4D885EEBBFB8BB14711F10992AF156C7590EB70B989CB90
                      Function 00454730 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceExA.KERNEL32(?,00000006,?,?), ref: 00454753
                      • LoadResource.KERNEL32(?,00000000,?,?,?,0064FD78,0044FF72,?,?,00000000,?,00000100), ref: 0045475F
                      • OutputDebugStringW.KERNEL32(-00000002,?,?,?,0064FD78,0044FF72,?,?,00000000,?,00000100), ref: 00454776
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,-00000002,00000000,?,?,00000000,00000000,?,?,?,0064FD78,0044FF72,?,?,00000000), ref: 004547B9
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Resource$ByteCharDebugFindLoadMultiOutputStringWide
                      • String ID:
                      • API String ID: 3173365000-0
                      • Opcode ID: 91d4c175efeb294d36faaa8fd976fdfecfe5ac1cef29fe34b7479ec59d594cda
                      • Instruction ID: bd0a62013a431cd218fc16daaeb585c76705b6ce58b3b09845f325d1f1bd7d56
                      • Opcode Fuzzy Hash: 91d4c175efeb294d36faaa8fd976fdfecfe5ac1cef29fe34b7479ec59d594cda
                      • Instruction Fuzzy Hash: 661123363057182FF3248A29AC45B7B73C9EBC5766F14023AFD42D7380EB229C098294
                      Function 00482080 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • SetLastError.KERNEL32(00000057,?,6CE64920), ref: 00482169
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ErrorLast
                      • String ID: *$\$\
                      • API String ID: 1452528299-2492519292
                      • Opcode ID: 086e508a5920bb10100604f787cd00cc93e83b8e81efa76cada8b80eb1638fd9
                      • Instruction ID: a1de7b0c9fe933c156a0150df253ff67a204655facfca0cd4a02d567b2fe4022
                      • Opcode Fuzzy Hash: 086e508a5920bb10100604f787cd00cc93e83b8e81efa76cada8b80eb1638fd9
                      • Instruction Fuzzy Hash: 4621F0315083419BD330AB14DD84BDBB3E9EBC8355F008C3EEA4A93340E7B9951887D6
                      Function 00466010 Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.ADVAPI32(00000000,?,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,?,004131A3,00000000,UninstallString,?), ref: 0046603A
                      • RegSetValueExA.ADVAPI32(00000000,80000002,00000000,00000001,004131A3,?,80000002,?,00000000,?,004131A3,00000000,UninstallString,?,?,00020019), ref: 00466071
                      • RegCloseKey.ADVAPI32(00000000), ref: 00466081
                      • RegCloseKey.ADVAPI32(00000000), ref: 00466097
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Close$CreateValue
                      • String ID:
                      • API String ID: 1009429713-0
                      • Opcode ID: ca8b481203dde419875277be55df6e73d0568bd7e8f1734e3f1aafd65a50fe29
                      • Instruction ID: c940793851422a8b5d8e05dc61fc75370b5696827136c8d11a89601f2695de50
                      • Opcode Fuzzy Hash: ca8b481203dde419875277be55df6e73d0568bd7e8f1734e3f1aafd65a50fe29
                      • Instruction Fuzzy Hash: 7711C632215220AFE330CE28DC88FABB39DEB84710F15862FF547D7281D665AC0043A6
                      Function 0040C3F0 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9d3d9f01863cfc105da120e88c438d4d1a1150d16a0a92d15a971d98c59daa54
                      • Instruction ID: a5b2f70b06b6236ab9dbcfa247ea8f648bd229ed2e69eaae2291c7096cd4da07
                      • Opcode Fuzzy Hash: 9d3d9f01863cfc105da120e88c438d4d1a1150d16a0a92d15a971d98c59daa54
                      • Instruction Fuzzy Hash: 1C115175605200ABD720DB64D894E6B77E8BBA4354F10C92EF885D3250D738E849CB91
                      Function 0040E1E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040E267
                        • Part of subcall function 0040DE40: ReadFile.KERNEL32(?,00000200,00000200,?,00000000), ref: 0040DEEF
                      • CloseHandle.KERNEL32(00000000), ref: 0040E353
                        • Part of subcall function 0040E020: GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,?,?,?,00000010), ref: 0040E0A7
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: File$CloseCreateHandleInformationReadVolume
                      • String ID: \\.\A:
                      • API String ID: 742283298-1028187082
                      • Opcode ID: 8c330afe274d012282257d859cb79aded91ca0cf1acbd4aac64155dcd5c1975f
                      • Instruction ID: 9774a2ab2eea3c149db55e401fc61eb146346e52c5884f1750340dc5970abde6
                      • Opcode Fuzzy Hash: 8c330afe274d012282257d859cb79aded91ca0cf1acbd4aac64155dcd5c1975f
                      • Instruction Fuzzy Hash: DD41BD715083419BD320DF6698C096FBBE5BB84710F180E3FF895A7391D378A9188B9A
                      Function 0047E040 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentVariableA.KERNEL32(USERPROFILE,00000104,00000104), ref: 0047E06B
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: EnvironmentVariable
                      • String ID: %s\%s$USERPROFILE
                      • API String ID: 1431749950-2153575995
                      • Opcode ID: 2d5eea177a4ce60cd32b6b4c35d4f7896440a24952a2ecf85804752bb8ef1fcc
                      • Instruction ID: 1989997d622517da5447725127eee8636917334c7833e02b17c3c2127da18d2b
                      • Opcode Fuzzy Hash: 2d5eea177a4ce60cd32b6b4c35d4f7896440a24952a2ecf85804752bb8ef1fcc
                      • Instruction Fuzzy Hash: 1B310A757043042AE324D529DC427EB73C5EBD8710F448F3EF6A9822C1EEB8D9058295
                      Function 0042E0A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                      Download Yara Rule
                      APIs
                      • DeviceIoControl.KERNEL32(?,00223066,?,00000014,00000000,00000000,?,00000000), ref: 0042E15C
                        • Part of subcall function 0046F590: InterlockedDecrement.KERNEL32(?), ref: 0046F625
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ControlDecrementDeviceInterlocked
                      • String ID: IEST$QEST
                      • API String ID: 4270284584-3159810530
                      • Opcode ID: 038204763a470d8fb03e73179c63524e5fba35c3aa0a4eb9523b66b0c4023078
                      • Instruction ID: bc9eecc1739d1511bd93dc39a205a7ba4945e8602fc2750658df42db551d2dd3
                      • Opcode Fuzzy Hash: 038204763a470d8fb03e73179c63524e5fba35c3aa0a4eb9523b66b0c4023078
                      • Instruction Fuzzy Hash: B831BE717043109BD710DF269840B2FB7E5EFC8368F444A2EF89897381E738D9048B96
                      Function 0042E310 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                      Download Yara Rule
                      APIs
                      • DeviceIoControl.KERNEL32(?,002230A2,?,00000014,00000000,00000000,?,00000000), ref: 0042E3CC
                        • Part of subcall function 0046F590: InterlockedDecrement.KERNEL32(?), ref: 0046F625
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ControlDecrementDeviceInterlocked
                      • String ID: IECT$PAGT
                      • API String ID: 4270284584-1251173824
                      • Opcode ID: afeb6f9fe6f9f0ad5ae39e603dd9168807021d078f21752aea2cafc807c1eb65
                      • Instruction ID: c91efcf6fdabf4298820ad67d9b7115917a00112e879f2583b45f4e53cb6b9cd
                      • Opcode Fuzzy Hash: afeb6f9fe6f9f0ad5ae39e603dd9168807021d078f21752aea2cafc807c1eb65
                      • Instruction Fuzzy Hash: 2A31AF717043109BDB10EF26A840B6BB7E5EBC8328F44492EF99497381E739D9048BA6
                      Function 0042E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                      Download Yara Rule
                      APIs
                      • DeviceIoControl.KERNEL32(?,002230A2,?,00000014,00000000,00000000,?,00000000), ref: 0042E4FC
                        • Part of subcall function 0046F590: InterlockedDecrement.KERNEL32(?), ref: 0046F625
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: ControlDecrementDeviceInterlocked
                      • String ID: IECT$PAGT
                      • API String ID: 4270284584-1251173824
                      • Opcode ID: 28a0118d63181d164c6aa5244397af21193f1eb17c2a6a0755e34b0764b38106
                      • Instruction ID: dc093da50b320a4db6f216daa190efa805cdda6487925065766dcb579c0e82e3
                      • Opcode Fuzzy Hash: 28a0118d63181d164c6aa5244397af21193f1eb17c2a6a0755e34b0764b38106
                      • Instruction Fuzzy Hash: 3631AF71704310ABDB10EF26A840B6BB7E5EFC8368F44492EF59497381E738D9048BA6
                      Function 0047E1A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentVariableW.KERNEL32(USERPROFILE,00000104,00000104), ref: 0047E1CC
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: EnvironmentVariable
                      • String ID: %s\%s$USERPROFILE
                      • API String ID: 1431749950-2153575995
                      • Opcode ID: ad9383567ffbf477a6c86706e96226492cfff5eee2853d0ab4635e4890951d7f
                      • Instruction ID: 3d156178d3711cf01bf1383cf02bd339511c2891bd4c1f78a6bec4528c262263
                      • Opcode Fuzzy Hash: ad9383567ffbf477a6c86706e96226492cfff5eee2853d0ab4635e4890951d7f
                      • Instruction Fuzzy Hash: BE31C4B66042006AE730D665D881BEB739CAFD8704F448D7EF64C92251E6B9D988839B
                      Function 0045A110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(-0000000C), ref: 0045A155
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: @4e$h4e
                      • API String ID: 1807080765-4164473680
                      • Opcode ID: 4f54be4f1d226e93e390a2ae6b6a82ba4d2f1aaae23bba2b75a135cef165d9af
                      • Instruction ID: a1342d53949bfb04f4ee53bdf8684023b9831da89c268dcfe7ebc2036bfc1a4a
                      • Opcode Fuzzy Hash: 4f54be4f1d226e93e390a2ae6b6a82ba4d2f1aaae23bba2b75a135cef165d9af
                      • Instruction Fuzzy Hash: AA2128716005099BDB14AE25CC8596BB759FB4435AF18922BFD069B343DE38EC1C83A7
                      Function 0045A020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 0045A067
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: @4e$h4e
                      • API String ID: 1807080765-4164473680
                      • Opcode ID: bb62c57b896fe68dfcefeb912c52a6640a5b10f113faa9b63fb8f472cfb82ef3
                      • Instruction ID: 58b46640b5c86c03ad31f06794ce8d76cb12f50bdf1494d3d885301eb6ffe440
                      • Opcode Fuzzy Hash: bb62c57b896fe68dfcefeb912c52a6640a5b10f113faa9b63fb8f472cfb82ef3
                      • Instruction Fuzzy Hash: AC2138712101159BCB24AE24D89587BB396FB44B06B54822FFD028B3C2DA79DC59C36B
                      Function 004584B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 004584F5
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: @4e$h4e
                      • API String ID: 1807080765-4164473680
                      • Opcode ID: cb1822cc3b55e409aa030b7d0defa60b24f923826017f9e2b2edcea5d84eb0fa
                      • Instruction ID: ac316ed6d0011e4e8736b85da77a32c019ce0ed5ce65b0b2c248d573013cf46f
                      • Opcode Fuzzy Hash: cb1822cc3b55e409aa030b7d0defa60b24f923826017f9e2b2edcea5d84eb0fa
                      • Instruction Fuzzy Hash: 6C21F97120010DABCB14EE18C88596FB396FB54706B94841EED05AF352EF38ED4DC769
                      Function 004560F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 00456134
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: @4e$h4e
                      • API String ID: 1807080765-4164473680
                      • Opcode ID: 8c8cf20cc7f5995314895f784d2b0ec9471e061af034e67e4d680c3e022e7dfb
                      • Instruction ID: d3a2d7dcb185c2a011549c935c23496a5bbcb74f5d64fecaf2020b001681c613
                      • Opcode Fuzzy Hash: 8c8cf20cc7f5995314895f784d2b0ec9471e061af034e67e4d680c3e022e7dfb
                      • Instruction Fuzzy Hash: 081106763004055B8B14AE19D8D593BB39AFBC8366BA5543FFA02CB343DB28EC4D8264
                      Function 00456330 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(?), ref: 0045635D
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: @4e$h4e
                      • API String ID: 1807080765-4164473680
                      • Opcode ID: 62c0ba24c1fc05e79895e8d2639b621899fcccd0da7858eca9589db0750965f7
                      • Instruction ID: d32969ab5e3d697f0eebf34522c534f680cb4b9de13690e8e8c6ba29fb34d08f
                      • Opcode Fuzzy Hash: 62c0ba24c1fc05e79895e8d2639b621899fcccd0da7858eca9589db0750965f7
                      • Instruction Fuzzy Hash: 6C1129312006149B9B24AE18C88566FB39AFF45312F91206FFD0297353CB39BD4C87AB
                      Function 0049A620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceExA.KERNEL32(?,00000006,G`I,?), ref: 0049A641
                      • LoadResource.KERNEL32(?,00000000), ref: 0049A64D
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: Resource$FindLoad
                      • String ID: G`I
                      • API String ID: 2619053042-3765031108
                      • Opcode ID: f956e9c6e445be1a0a565905920a7263ea0a86acf557c558562f88bb1a57d365
                      • Instruction ID: 301315ee596ab32070831a4e979dcbf58db3cd7c8c434bfafeca15deb27bb23e
                      • Opcode Fuzzy Hash: f956e9c6e445be1a0a565905920a7263ea0a86acf557c558562f88bb1a57d365
                      • Instruction Fuzzy Hash: B501C0322152125FDB288A28EC40A7BB399FFC5310B1A453FF886C7340DA34ED4686A9
                      Function 00456240 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • InterlockedDecrement.KERNEL32(-000000F4), ref: 00456256
                        • Part of subcall function 0043BCD8: EnterCriticalSection.KERNEL32(00653450,00650230,006501C4,006501C4,0045D19F,-0000000C), ref: 0043BCE9
                        • Part of subcall function 0043BCD8: LeaveCriticalSection.KERNEL32(00653450), ref: 0043BCF8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: CriticalSection$DecrementEnterInterlockedLeave
                      • String ID: @4e$h4e
                      • API String ID: 1807080765-4164473680
                      • Opcode ID: 2f811cea1c8bdc6e9ca702a14f82d8c729867f4af84298733ae08f89e341a89b
                      • Instruction ID: 29d53d8c11f38db9835bfbbfc1dec92a1e5ccbb17f02c06529ae79308f075e63
                      • Opcode Fuzzy Hash: 2f811cea1c8bdc6e9ca702a14f82d8c729867f4af84298733ae08f89e341a89b
                      • Instruction Fuzzy Hash: FBF07D315000106FDB247A5CF865BBA338DEF98325F9210AFF50287392EE184C8C4294
                      Function 005B83D0 Relevance: 5.1, APIs: 4, Instructions: 134stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(?,?,?,?,.txt,_NEW.txt,?), ref: 005B83EE
                      • lstrlenA.KERNEL32(?,?,.txt,_NEW.txt,?), ref: 005B840B
                      • lstrlenA.KERNEL32(756F0440,?,.txt,_NEW.txt,?), ref: 005B843D
                      • lstrlenA.KERNEL32(?,?,?,00000000,?,.txt,_NEW.txt,?), ref: 005B8512
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: lstrlen
                      • String ID:
                      • API String ID: 1659193697-0
                      • Opcode ID: 22912f1b482dda0b78ac4b999a88e65ddbe8b0c96efe9e4f75bff8f2b0f535e7
                      • Instruction ID: 0d78cc21f5730f9ab90ccb920e18bd505d2521a08aac8e6530e55bc66b250bf5
                      • Opcode Fuzzy Hash: 22912f1b482dda0b78ac4b999a88e65ddbe8b0c96efe9e4f75bff8f2b0f535e7
                      • Instruction Fuzzy Hash: 7A415A76D0021AEFCF10DFA9D9849EEBBB9FF08314B14546AE901A7211DB34AE45CB90
                      Function 00446450 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • HeapReAlloc.KERNEL32(00000000,?,00000000,00000000,00446218,00000000,00000000,00000000,0043E6B7,00000000,00000000,?,00000000,00000000,00000000), ref: 00446478
                      • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00446218,00000000,00000000,00000000,0043E6B7,00000000,00000000,?,00000000,00000000,00000000), ref: 004464AC
                      • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 004464C6
                      • HeapFree.KERNEL32(00000000,?), ref: 004464DD
                      Memory Dump Source
                      • Source File: 00000011.00000002.1442926624.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000011.00000002.1442856830.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443141785.00000000005DF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443180815.0000000000619000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443207467.000000000061A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443239704.000000000061B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443262251.000000000061E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443289310.000000000061F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443314823.0000000000630000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443337399.0000000000634000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443360525.0000000000635000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443513423.0000000000637000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443630711.0000000000646000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443655264.0000000000647000.00000008.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000648000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.000000000064E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000653000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000655000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443684465.0000000000657000.00000004.00000001.01000000.0000000F.sdmpDownload File
                      • Associated: 00000011.00000002.1443963988.0000000000658000.00000002.00000001.01000000.0000000F.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_400000_systecv3.jbxd
                      Similarity
                      • API ID: AllocHeap$FreeVirtual
                      • String ID:
                      • API String ID: 3499195154-0
                      • Opcode ID: 7219fd97f56185b1b811c83fa5cb854f1e5e37bbd3710195bac0f837e8c2afa5
                      • Instruction ID: 43f511a46b7d85a7d18e179cca748d23b4cac63a3c45b0ac3e6b78b2fdf6a777
                      • Opcode Fuzzy Hash: 7219fd97f56185b1b811c83fa5cb854f1e5e37bbd3710195bac0f837e8c2afa5
                      • Instruction Fuzzy Hash: 5B119E70240300AFD732CF18EC459227BB2FB95326B905A2AF192C31B4E332A906CF54